Re: PF not keeping counters in a counters-defined table
Hopefully someone else will be able to help. On Tue, Jan 5, 2021 at 9:42 PM Kristof Provost wrote: > On 5 Jan 2021, at 20:35, Dobri Dobrev wrote: > > You are correct, Kristof. > > > > If I place the table in the rdr rule - it starts keeping counters, > > however, > > what is the point of having the ability to place a table in a > > rdr-anchor > > rule in the first place, if it won't be able to keep counters? > > > Tables are not just about counters. They’re about making a rule filter > on a whole selection of addresses (or ranges). > In this case you’re choosing to filter what traffic may go into the > anchor. > Maybe consider not filtering on the rdr-anchor rule, but on the rdr rule > in the anchor itself? > > > I'm doing the followi ng scenario: > > table counters > > table persist > > > > rdr-anchor "ASDFGH" on igb0 proto tcp from to any port 123 > > no-rdr on igb0 from any to port 123 > > rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123 > > > > load anchor ASDFGH from "/etc/ASDFGH-anchor" > > # contents of /etc/ASDFGH-anchor: > > # (tested separately) > > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> > > 192.168.0.1 > > port 124 # no counters > > # rdr on igb0 proto tcp from to 192.168.0.1 port 123 -> > > 192.168.0.1 port 124 # counters working > > > > So, in this case - how do I keep counters in the without > > breaking the current "workflow"? > > If IP 192.168.0.1 is not in and I have on all > > rdr > > rules @ the anchor - I won't ever be able to reach > > 123->192.168.0.1:124 > > > > Is there a way? > > I have no idea, and I’m not the best person to talk to about how to > configure your firewall. > > Best regards, > Kristof > ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: PF not keeping counters in a counters-defined table
On 5 Jan 2021, at 20:35, Dobri Dobrev wrote: You are correct, Kristof. If I place the table in the rdr rule - it starts keeping counters, however, what is the point of having the ability to place a table in a rdr-anchor rule in the first place, if it won't be able to keep counters? Tables are not just about counters. They’re about making a rule filter on a whole selection of addresses (or ranges). In this case you’re choosing to filter what traffic may go into the anchor. Maybe consider not filtering on the rdr-anchor rule, but on the rdr rule in the anchor itself? I'm doing the followi ng scenario: table counters table persist rdr-anchor "ASDFGH" on igb0 proto tcp from to any port 123 no-rdr on igb0 from any to port 123 rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123 load anchor ASDFGH from "/etc/ASDFGH-anchor" # contents of /etc/ASDFGH-anchor: # (tested separately) # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> 192.168.0.1 port 124 # no counters # rdr on igb0 proto tcp from to 192.168.0.1 port 123 -> 192.168.0.1 port 124 # counters working So, in this case - how do I keep counters in the without breaking the current "workflow"? If IP 192.168.0.1 is not in and I have on all rdr rules @ the anchor - I won't ever be able to reach 123->192.168.0.1:124 Is there a way? I have no idea, and I’m not the best person to talk to about how to configure your firewall. Best regards, Kristof ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: PF not keeping counters in a counters-defined table
You are correct, Kristof. If I place the table in the rdr rule - it starts keeping counters, however, what is the point of having the ability to place a table in a rdr-anchor rule in the first place, if it won't be able to keep counters? I'm doing the following scenario: table counters table persist rdr-anchor "ASDFGH" on igb0 proto tcp from to any port 123 no-rdr on igb0 from any to port 123 rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123 load anchor ASDFGH from "/etc/ASDFGH-anchor" # contents of /etc/ASDFGH-anchor: # (tested separately) # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> 192.168.0.1 port 124 # no counters # rdr on igb0 proto tcp from to 192.168.0.1 port 123 -> 192.168.0.1 port 124 # counters working So, in this case - how do I keep counters in the without breaking the current "workflow"? If IP 192.168.0.1 is not in and I have on all rdr rules @ the anchor - I won't ever be able to reach 123->192.168.0.1:124 Is there a way? On Tue, Jan 5, 2021 at 8:58 PM Kristof Provost wrote: > On 5 Jan 2021, at 14:42, Dobri Dobrev wrote: > > # > > > > > # /etc/pf.conf: > > set timeout tcp.first 45 > > set timeout tcp.opening 45 > > set timeout tcp.closing 15 > > set timeout tcp.finwait 15 > > set timeout tcp.closed 10 > > set timeout interval 10 > > set timeout tcp.established 3600 > > set timeout src.track 10 > > > > set limit table-entries 50 > > set limit states 200 > > set limit src-nodes 200 > > set require-order no > > set block-policy drop > > set ruleset-optimization basic > > > > set skip on lo0 > > > > table counters > > rdr-anchor "ASDFGH" on igb0 proto tcp from to any port 123 > > > > load anchor ASDFGH from "/etc/ASDFGH-anchor" > > > > # contents of /etc/ASDFGH-anchor: > > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> > > 192.168.0.1 > > port 124 > > # > Use pflog to confirm, but I’m pretty sure your issue is that you’re > hitting the rdr rule in the anchor, which doesn’t contain the table > with the counters rather than the anchor rule. > Counts are only done on the final matching rule, not on all of the rules > looked at along the way. > > Regards, > Kristof > ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: PF not keeping counters in a counters-defined table
On 5 Jan 2021, at 14:42, Dobri Dobrev wrote: # # /etc/pf.conf: set timeout tcp.first 45 set timeout tcp.opening 45 set timeout tcp.closing 15 set timeout tcp.finwait 15 set timeout tcp.closed 10 set timeout interval 10 set timeout tcp.established 3600 set timeout src.track 10 set limit table-entries 50 set limit states 200 set limit src-nodes 200 set require-order no set block-policy drop set ruleset-optimization basic set skip on lo0 table counters rdr-anchor "ASDFGH" on igb0 proto tcp from to any port 123 load anchor ASDFGH from "/etc/ASDFGH-anchor" # contents of /etc/ASDFGH-anchor: # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> 192.168.0.1 port 124 # Use pflog to confirm, but I’m pretty sure your issue is that you’re hitting the rdr rule in the anchor, which doesn’t contain the table with the counters rather than the anchor rule. Counts are only done on the final matching rule, not on all of the rules looked at along the way. Regards, Kristof ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
PF not keeping counters in a counters-defined table
# # /etc/pf.conf: set timeout tcp.first 45 set timeout tcp.opening 45 set timeout tcp.closing 15 set timeout tcp.finwait 15 set timeout tcp.closed 10 set timeout interval 10 set timeout tcp.established 3600 set timeout src.track 10 set limit table-entries 50 set limit states 200 set limit src-nodes 200 set require-order no set block-policy drop set ruleset-optimization basic set skip on lo0 table counters rdr-anchor "ASDFGH" on igb0 proto tcp from to any port 123 load anchor ASDFGH from "/etc/ASDFGH-anchor" # contents of /etc/ASDFGH-anchor: # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> 192.168.0.1 port 124 # # # Add the IP in the table: # pfctl -t xyztable -T add 192.168.0.101 Daemon listening on 124, "client" sends traffic to 123 which is redirected to 124 by the rdr-anchor. I send some TCP traffic from 192.168.0.101 to 192.168.0.1 port 123 (and receive responses), however, the table has 0 counters. # # pfctl -t xyztable -T show -vv No ALTQ support in kernel ALTQ related functions disabled 192.168.0.101 Cleared: Mon Jan 4 23:42:55 2021 In/Block: [ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 0 Bytes: 0 ] ___ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
