[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: viewing just authpf rules or authpf states?
From:       Daniel Hartmeier <daniel () benzedrine ! cx>
Date:       2002-12-28 23:24:07
[Download RAW message or body]

On Sat, Dec 28, 2002 at 03:31:56PM -0500, Michael Lucas wrote:

> Is there any way for the firewall administrator to see just the states
> that authpf has created, or just the rules that authpf has created?

The first one is a little tricky, as there's only a single state table
where all states go, no matter how they are created (through rules added
by authpf or not). But if you run 'pfctl -vss', you get a list of all
states, and the third line of each contains the number of the rule that
created the state, which would be the 'anchor authpf' rule in the main
ruleset for states related to authpf, assuming the last matching rule
with 'keep state' was actually inside that anchor. Note that these rule
numbers in the state entries are cleared when you reload the main rule
set.

> If I run "pfctl -s authpf", I get complete information on the anchor
> and the states, but nothing on rules.

'-s authpf' is the same as '-sa' (only the first letter matters), which
means 'show all information', and doesn't show any anchor related
information at all.

You can run 'pfctl -sA' (uppercase A) to list all anchors, then use
'pfctl -a name -sA' to list all rulesets within the specified anchor.
As authpf uses the pid of the process as ruleset name, 'pfctl -a authpf
-sA' would list all pids of authpf processes.

Then, with 'pfctl -a authpf:12345 -sr' you can view the rules inside
that ruleset (the rules loaded by that authpf process for the user). All
commands like -vsr, -vvsr, -sn, etc. work in combination with -a
name:name, and then apply to the specified ruleset (instead of the main
ruleset).

> if I run "pfctl -a authpf -s authpf," I get the full info dump again,
> but nothing on rules: I do get a few "pfctl: DIOCGETRULES: Invalid
> argument" errors scattered through the output.  Is this another bug?

If you're not running a most recent -current pfctl, that was a bug fixed
very recently. If it still occurs with an updated pfctl, please let me
know.

> It would be nice to say "Give me a list of all the IPs authenticated
> to the firewall, and the rules created for them."

Does the above help achieve this? authpf could also define another
meta-macro (like $user_ip) called $user_name, which you could then use
in rule labels, so you can later associate rules with user names...

> Any suggestions?  Or should I just wade through "pfctl -a authpf -s
> authpf"?

No, it should be easy. If the current features -a -sA -sr don't show the
information, we'll have to think about something. It would have to work
for all kinds of anchors, though, not just authpf. If it's authpf
specific queries, maybe authpf itself could use a switch to display it.

Daniel

[prev in list] [next in list] [prev in thread] [next in thread]