212 lines
4.3 KiB
Markdown
212 lines
4.3 KiB
Markdown
---
|
|
categories: openbsd network firewall
|
|
title: Howto PacketFilter
|
|
---
|
|
|
|
## Tips & Astuces
|
|
|
|
### Général
|
|
|
|
Activer PacketFilter :
|
|
|
|
> Note : Attention, comme les règles qui seront activées n'auront pas d'état, pf va couper **toutes** les connexions.
|
|
|
|
~~~
|
|
# pfctl -e
|
|
~~~
|
|
|
|
Désactiver PacketFilter :
|
|
|
|
~~~
|
|
# pfctl -d
|
|
~~~
|
|
|
|
Vérifier la configuration sans la charger :
|
|
|
|
~~~
|
|
# pfctl -nf /etc/pf.conf
|
|
~~~
|
|
|
|
Recharger la configuration :
|
|
|
|
~~~
|
|
# pfctl -f /etc/pf.conf
|
|
~~~
|
|
|
|
### Utilisation détaillée
|
|
|
|
#### Observation
|
|
|
|
Voir la QoS en temps réel :
|
|
|
|
~~~
|
|
# systat queue
|
|
# pfctl -s queue -vv
|
|
~~~
|
|
|
|
Voir toutes les règles actuellement en place :
|
|
|
|
~~~
|
|
# pfctl -sr
|
|
~~~
|
|
|
|
Voir toutes les règles actuellement en place, avec les statistiques :
|
|
|
|
~~~
|
|
# pfctl -vsr
|
|
~~~
|
|
|
|
Obtenir la règle numéro 42 :
|
|
|
|
~~~
|
|
# pfctl -sr -R42
|
|
~~~
|
|
|
|
Liste des états :
|
|
|
|
~~~
|
|
# pfctl -s states | less
|
|
~~~
|
|
|
|
Liste des états avec statistiques, notamment l'âge et l'expiration de l'état :
|
|
|
|
~~~
|
|
# pfctl -vs states | less
|
|
~~~
|
|
|
|
Obtenir le nombre d'états :
|
|
|
|
~~~
|
|
# pfctl -si | grep curr
|
|
~~~
|
|
|
|
Toutes les infos sur PF :
|
|
|
|
~~~
|
|
# pfctl -sa | less
|
|
~~~
|
|
|
|
#### Action
|
|
|
|
Flush des états :
|
|
|
|
~~~
|
|
# pfctl -F states
|
|
~~~
|
|
|
|
Gestion des tables :
|
|
|
|
~~~
|
|
# pfctl -t <table> -T show/flush/kill/add/delete
|
|
~~~
|
|
|
|
#### Logs
|
|
|
|
Voir les logs :
|
|
|
|
~~~
|
|
# tcpdump -n -e -ttt -r /var/log/pflog
|
|
~~~
|
|
|
|
Voir les vieux logs :
|
|
|
|
~~~
|
|
# zcat /var/log/pflog.0.gz |tcpdump -ne -ttt -r -
|
|
~~~
|
|
|
|
Voir les logs en temps réel :
|
|
|
|
~~~
|
|
# tcpdump -n -e -ttt -i pflog0
|
|
~~~
|
|
|
|
## FAQ
|
|
|
|
### pfctl: warning: namespace collision with \<table\> global table.
|
|
|
|
Il faut a priori effacer la table avec
|
|
|
|
~~~
|
|
# pfctl -t <table> -T kill
|
|
~~~
|
|
|
|
### Valeurs des timeout
|
|
|
|
D'après le man :
|
|
|
|
~~~
|
|
set optimization environment
|
|
Optimize state timeouts for one of the following network
|
|
environments:
|
|
|
|
aggressive
|
|
Aggressively expire connections. This can greatly reduce
|
|
the memory usage of the firewall at the cost of dropping
|
|
idle connections early.
|
|
conservative
|
|
Extremely conservative settings. Avoid dropping
|
|
legitimate connections at the expense of greater memory
|
|
utilization (possibly much greater on a busy network) and
|
|
slightly increased processor utilization.
|
|
high-latency
|
|
A high-latency environment (such as a satellite
|
|
connection).
|
|
normal A normal network environment. Suitable for almost all
|
|
networks.
|
|
satellite
|
|
Alias for high-latency.
|
|
|
|
~~~
|
|
|
|
Comparaison des valeurs des modes *aggressif* et *normal*
|
|
|
|
~~~
|
|
Agressive Normal
|
|
tcp.first 30s 120s
|
|
tcp.opening 5s 30s
|
|
tcp.established 18000s 86400s
|
|
tcp.closing 60s 900s
|
|
tcp.finwait 30s 45s
|
|
tcp.closed 30s 90s
|
|
tcp.tsdiff 10s 30s
|
|
udp.first 60s 60s
|
|
udp.single 30s 30s
|
|
udp.multiple 60s 60s
|
|
icmp.first 20s 20s
|
|
icmp.error 10s 10s
|
|
other.first 60s 60s
|
|
other.single 30s 30s
|
|
other.multiple 60s 60s
|
|
frag 60s 60s
|
|
interval 10s 10s
|
|
adaptive.start 6000 states 6000 states
|
|
adaptive.end 12000 states 12000 states
|
|
src.track 0s 0s
|
|
~~~
|
|
|
|
À titre d'indication, en mode *satellite*
|
|
|
|
~~~
|
|
tcp.first 180s
|
|
tcp.opening 35s
|
|
tcp.established 86400s
|
|
tcp.closing 905s
|
|
tcp.finwait 50s
|
|
tcp.closed 95s
|
|
tcp.tsdiff 60s
|
|
udp.first 60s
|
|
udp.single 30s
|
|
udp.multiple 60s
|
|
icmp.first 20s
|
|
icmp.error 10s
|
|
other.first 60s
|
|
other.single 30s
|
|
other.multiple 60s
|
|
frag 60s
|
|
interval 10s
|
|
adaptive.start 6000 states
|
|
adaptive.end 12000 states
|
|
src.track 0s
|
|
|
|
~~~
|