PF not keeping counters in a counters-defined table

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

PF not keeping counters in a counters-defined table

Dobri Dobrev
 #
------------------------------------------------------------------------------------------------
# /etc/pf.conf:
set timeout tcp.first 45
set timeout tcp.opening 45
set timeout tcp.closing 15
set timeout tcp.finwait 15
set timeout tcp.closed 10
set timeout interval 10
set timeout tcp.established 3600
set timeout src.track 10

set limit table-entries 500000
set limit states 2000000
set limit src-nodes 2000000
set require-order no
set block-policy drop
set ruleset-optimization basic

set skip on lo0

table <xyztable> counters
rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123

load anchor ASDFGH from "/etc/ASDFGH-anchor"

# contents of /etc/ASDFGH-anchor:
# rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> 192.168.0.1
port 124
#
------------------------------------------------------------------------------------------------

#
------------------------------------------------------------------------------------------------
# Add the IP in the table:
# pfctl -t xyztable -T add 192.168.0.101

Daemon listening on 124, "client" sends traffic to 123 which is redirected
to 124 by the rdr-anchor.

I send some TCP traffic from 192.168.0.101 to 192.168.0.1 port 123 (and
receive responses), however, the table has 0 counters.

#
------------------------------------------------------------------------------------------------
# pfctl -t xyztable -T show -vv
No ALTQ support in kernel
ALTQ related functions disabled
192.168.0.101
Cleared: Mon Jan 4 23:42:55 2021
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: PF not keeping counters in a counters-defined table

Kristof Provost
On 5 Jan 2021, at 14:42, Dobri Dobrev wrote:

>  #
> ------------------------------------------------------------------------------------------------
> # /etc/pf.conf:
> set timeout tcp.first 45
> set timeout tcp.opening 45
> set timeout tcp.closing 15
> set timeout tcp.finwait 15
> set timeout tcp.closed 10
> set timeout interval 10
> set timeout tcp.established 3600
> set timeout src.track 10
>
> set limit table-entries 500000
> set limit states 2000000
> set limit src-nodes 2000000
> set require-order no
> set block-policy drop
> set ruleset-optimization basic
>
> set skip on lo0
>
> table <xyztable> counters
> rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123
>
> load anchor ASDFGH from "/etc/ASDFGH-anchor"
>
> # contents of /etc/ASDFGH-anchor:
> # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 ->
> 192.168.0.1
> port 124
> #
Use pflog to confirm, but I’m pretty sure your issue is that you’re
hitting the rdr rule in the anchor, which doesn’t contain the table
with the counters rather than the anchor rule.
Counts are only done on the final matching rule, not on all of the rules
looked at along the way.

Regards,
Kristof
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: PF not keeping counters in a counters-defined table

Dobri Dobrev
You are correct, Kristof.

If I place the table in the rdr rule - it starts keeping counters, however,
what is the point of having the ability to place a table in a rdr-anchor
rule in the first place, if it won't be able to keep counters?

I'm doing the following scenario:
table <xyztable> counters
table <othertable> persist

rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123
no-rdr on igb0 from any to <othertable> port 123
rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123

load anchor ASDFGH from "/etc/ASDFGH-anchor"
# contents of /etc/ASDFGH-anchor:
# (tested separately)
# rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> 192.168.0.1
port 124 # no counters
# rdr on igb0 proto tcp from <xyztable> to 192.168.0.1 port 123 ->
192.168.0.1 port 124 # counters working

So, in this case - how do I keep counters in the <xyztable> without
breaking the current "workflow"?
If IP 192.168.0.1 is not in <othertabe> and I have <xyztable> on all rdr
rules @ the anchor - I won't ever be able to reach 123->192.168.0.1:124

Is there a way?

On Tue, Jan 5, 2021 at 8:58 PM Kristof Provost <[hidden email]> wrote:

> On 5 Jan 2021, at 14:42, Dobri Dobrev wrote:
> >  #
> >
> ------------------------------------------------------------------------------------------------
> > # /etc/pf.conf:
> > set timeout tcp.first 45
> > set timeout tcp.opening 45
> > set timeout tcp.closing 15
> > set timeout tcp.finwait 15
> > set timeout tcp.closed 10
> > set timeout interval 10
> > set timeout tcp.established 3600
> > set timeout src.track 10
> >
> > set limit table-entries 500000
> > set limit states 2000000
> > set limit src-nodes 2000000
> > set require-order no
> > set block-policy drop
> > set ruleset-optimization basic
> >
> > set skip on lo0
> >
> > table <xyztable> counters
> > rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123
> >
> > load anchor ASDFGH from "/etc/ASDFGH-anchor"
> >
> > # contents of /etc/ASDFGH-anchor:
> > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 ->
> > 192.168.0.1
> > port 124
> > #
> Use pflog to confirm, but I’m pretty sure your issue is that you’re
> hitting the rdr rule in the anchor, which doesn’t contain the table
> with the counters rather than the anchor rule.
> Counts are only done on the final matching rule, not on all of the rules
> looked at along the way.
>
> Regards,
> Kristof
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: PF not keeping counters in a counters-defined table

Kristof Provost
On 5 Jan 2021, at 20:35, Dobri Dobrev wrote:
> You are correct, Kristof.
>
> If I place the table in the rdr rule - it starts keeping counters,
> however,
> what is the point of having the ability to place a table in a
> rdr-anchor
> rule in the first place, if it won't be able to keep counters?
>
Tables are not just about counters. They’re about making a rule filter
on a whole selection of addresses (or ranges).
In this case you’re choosing to filter what traffic may go into the
anchor.
Maybe consider not filtering on the rdr-anchor rule, but on the rdr rule
in the anchor itself?

> I'm doing the followi ng scenario:
> table <xyztable> counters
> table <othertable> persist
>
> rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123
> no-rdr on igb0 from any to <othertable> port 123
> rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123
>
> load anchor ASDFGH from "/etc/ASDFGH-anchor"
> # contents of /etc/ASDFGH-anchor:
> # (tested separately)
> # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 ->
> 192.168.0.1
> port 124 # no counters
> # rdr on igb0 proto tcp from <xyztable> to 192.168.0.1 port 123 ->
> 192.168.0.1 port 124 # counters working
>
> So, in this case - how do I keep counters in the <xyztable> without
> breaking the current "workflow"?
> If IP 192.168.0.1 is not in <othertabe> and I have <xyztable> on all
> rdr
> rules @ the anchor - I won't ever be able to reach
> 123->192.168.0.1:124
>
> Is there a way?

I have no idea, and I’m not the best person to talk to about how to
configure your firewall.

Best regards,
Kristof
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: PF not keeping counters in a counters-defined table

Dobri Dobrev
Hopefully someone else will be able to help.

On Tue, Jan 5, 2021 at 9:42 PM Kristof Provost <[hidden email]> wrote:

> On 5 Jan 2021, at 20:35, Dobri Dobrev wrote:
> > You are correct, Kristof.
> >
> > If I place the table in the rdr rule - it starts keeping counters,
> > however,
> > what is the point of having the ability to place a table in a
> > rdr-anchor
> > rule in the first place, if it won't be able to keep counters?
> >
> Tables are not just about counters. They’re about making a rule filter
> on a whole selection of addresses (or ranges).
> In this case you’re choosing to filter what traffic may go into the
> anchor.
> Maybe consider not filtering on the rdr-anchor rule, but on the rdr rule
> in the anchor itself?
>
> > I'm doing the followi ng scenario:
> > table <xyztable> counters
> > table <othertable> persist
> >
> > rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123
> > no-rdr on igb0 from any to <othertable> port 123
> > rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123
> >
> > load anchor ASDFGH from "/etc/ASDFGH-anchor"
> > # contents of /etc/ASDFGH-anchor:
> > # (tested separately)
> > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 ->
> > 192.168.0.1
> > port 124 # no counters
> > # rdr on igb0 proto tcp from <xyztable> to 192.168.0.1 port 123 ->
> > 192.168.0.1 port 124 # counters working
> >
> > So, in this case - how do I keep counters in the <xyztable> without
> > breaking the current "workflow"?
> > If IP 192.168.0.1 is not in <othertabe> and I have <xyztable> on all
> > rdr
> > rules @ the anchor - I won't ever be able to reach
> > 123->192.168.0.1:124
> >
> > Is there a way?
>
> I have no idea, and I’m not the best person to talk to about how to
> configure your firewall.
>
> Best regards,
> Kristof
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"