Questions about tables on pf

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Questions about tables on pf

Leonardo Carneiro - Veltrac
Hello everyone.

I have a table in my pf.conf:

table <ips_allowed> persist const file "/etc/pf.conf.d/ips_allowed"

If I add or remove IPs from this file mannualy, will the firewall be
aware of such changes or do i need to reload pf? Also, pf do map this
file in memory or does it read from the disk for every packet?

Tks in advance and sorry for my poor english
--
Leonardo Carneiro

Reply | Threaded
Open this post in threaded view
|

Re: Questions about tables on pf

Gregory Edigarov-2
On Thu, 29 Apr 2010 10:15:08 -0300
Leonardo Carneiro - Veltrac <[hidden email]> wrote:

> Hello everyone.
>
> I have a table in my pf.conf:
>
> table <ips_allowed> persist const file "/etc/pf.conf.d/ips_allowed"
>
> If I add or remove IPs from this file mannualy, will the firewall be
> aware of such changes or do i need to reload pf? Also, pf do map this
> file in memory or does it read from the disk for every packet?
>
> Tks in advance and sorry for my poor english

Please read the manual page.
you will need to do something like:

pfctl -Treplace -tips_allowed

in order to reload your table
--
With best regards,
        Gregory Edigarov

Reply | Threaded
Open this post in threaded view
|

Re: Questions about tables on pf

Otto Moerbeek
In reply to this post by Leonardo Carneiro - Veltrac
On Thu, Apr 29, 2010 at 10:15:08AM -0300, Leonardo Carneiro - Veltrac wrote:

> Hello everyone.
>
> I have a table in my pf.conf:
>
> table <ips_allowed> persist const file "/etc/pf.conf.d/ips_allowed"
>
> If I add or remove IPs from this file mannualy, will the firewall be
> aware of such changes or do i need to reload pf? Also, pf do map

You need to reload. Check the man page.

> this file in memory or does it read from the disk for every packet?

Neither. The addresses are loaded in kernel memory via pfctl.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: Questions about tables on pf

Peter Nicolai Mathias Hansteen
In reply to this post by Leonardo Carneiro - Veltrac
Leonardo Carneiro - Veltrac <[hidden email]> writes:

> If I add or remove IPs from this file mannualy, will the firewall be
> aware of such changes or do i need to reload pf?

You can check what actually happens easily after editing the file by
comparing the output of

$ sudo pfctl -t ips_allowed -T show

with the contents of the file, but the shorter answer is: No.  You
will need to reload table contents, with a command like

$ sudo pfctl -t ips_allowed -T replace -f /etc/pf.conf.d/ips_allowed

> Also, pf do map this file in memory or does it read from the disk
> for every packet?

Tables sourced from files are held in memory, and rule set evaluation
in most cases is not triggered as long as an arriving packet matches a
pre-existing state.

My own take on basic table operations are up at
http://home.nuug.no/~peter/pf/en/tables.html, the PF User
Guide (aka The PF FAQ) has a tables section at
http://www.openbsd.org/faq/pf/tables.html (and your friendly
neighborhood mirror)

- Peter

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: Questions about tables on pf

Leonardo Carneiro - Veltrac
In reply to this post by Gregory Edigarov-2
Gregory Edigarov wrote:

> On Thu, 29 Apr 2010 10:15:08 -0300
> Leonardo Carneiro - Veltrac <[hidden email]> wrote:
>
>  
>> Hello everyone.
>>
>> I have a table in my pf.conf:
>>
>> table <ips_allowed> persist const file "/etc/pf.conf.d/ips_allowed"
>>
>> If I add or remove IPs from this file mannualy, will the firewall be
>> aware of such changes or do i need to reload pf? Also, pf do map this
>> file in memory or does it read from the disk for every packet?
>>
>> Tks in advance and sorry for my poor english
>>    
>
> Please read the manual page.
> you will need to do something like:
>
> pfctl -Treplace -tips_allowed
>
> in order to reload your table
>  
Hi Gregory and others,

I have read the documentation and i was aware that i can reload just the
table instead the hole firewall, what i did not know was if pf could
"sense" the changes in the file.

But tks for the tips anyway.

Reply | Threaded
Open this post in threaded view
|

Re: Questions about tables on pf

Leonardo Carneiro - Veltrac
In reply to this post by Otto Moerbeek
Otto Moerbeek wrote:
> On Thu, Apr 29, 2010 at 10:15:08AM -0300, Leonardo Carneiro - Veltrac wrote:
>  
>> this file in memory or does it read from the disk for every packet?
>>    
> Neither. The addresses are loaded in kernel memory via pfctl.
>
> -Otto
>  
Tks. This info is very important to me 'cause my disk sucks, and i'll
have to create some tables that will be "hitted" very often in my ruleset.
Tks for the infos.

Reply | Threaded
Open this post in threaded view
|

Re: Questions about tables on pf

Lars Nooden-2
On Thu, 29 Apr 2010, Leonardo Carneiro - Veltrac wrote:
> Tks. This info is very important to me 'cause my disk sucks,

Look at the manual page for mount_mfs(8) and the option -P you can
load a directory and the files in it into memory.

> and i'll have to create some tables that will be "hitted" very often in
> my ruleset.

What are planning on adding to the tables?  There may be another way to
add addresses to the tables.

/Lars

Reply | Threaded
Open this post in threaded view
|

Re: Questions about tables on pf

Leonardo Carneiro - Veltrac
Lars Nooden wrote:

> On Thu, 29 Apr 2010, Leonardo Carneiro - Veltrac wrote:
>> Tks. This info is very important to me 'cause my disk sucks,
>
> Look at the manual page for mount_mfs(8) and the option -P you can
> load a directory and the files in it into memory.
>
>> and i'll have to create some tables that will be "hitted" very often
>> in my ruleset.
>
> What are planning on adding to the tables?  There may be another way
> to add addresses to the tables.
>
> /Lars
Just list of IPs, and maybe some ports list, but this is not defined
yet. But the table will not be updated very often. In fact, the
"how-to-update-the-table" question was just an academic curiosity. I
readed on the manual that are ways to add content "on the fly" in tables
through the firewall, but i don't have this need yet.