Managing Tables

Previous page
Table of content
Next page

Tables are handled slightly differently than other sorts of rules. The whole point of a table is to maintain a list of network numbers, so pfctl(8)'s table support is concerned with creating, editing, and removing table information. Whenever you work with a table in pfctl(8), you must specify the name of the table you are editing with the "-t" option. For example, if you're working with the "intruders" table, each pfctl(8) command should start with:

 # pfctl -t intruders

If you just run this command like this, pfctl(8) won't actually do anything. You need to tell pfctl(8) what you want it to do with the table, using the "-T" flag before it will actually consult with PF and do something. The "-T" flag takes an argument, the action you want it to take. For example, to display the contents of the table, use the "show" argument.

 # pfctl -t intruders -T show     209.69.178.26 #

The "intruders" table has one entry, 209.69.178.18.

Add an entry to the table with the "add" argument.

 # pfctl -t intruders -T add 10.0.0.9 1/1 addresses added. #

You can add entire networks to the table by specifying a netmask.

 # pfctl -t intruders -T add 88.88.0.0/16 1/1 addresses added #

Also, you can add multiple network numbers at a time.

 # pfctl -t intruders -T add 88.99.0.0/16 99.99.8.0/24 2/2 addresses added #

If you add entries to a non-existent table, the table is automatically created. (You might use this with anchor rules, or with authpf(8).)

Similarly, you can delete entries from a table with the "delete" argument. You can use any number of network numbers in a single delete statement.

 # pfctl -t intruders -T delete 99.99.8.0/24 1/1 addresses deleted #

To remove all the entries from a table, use the "flush" command.

 # pfctl -t intruders -T flush 4 addresses deleted #

The table is now empty. But perhaps deleting entries from a table is not enough, and you want to delete the table itself. Use the "kill" argument for this.

 # pfctl -t intruders -T kill 1 table deleted #

The next time you add an entry to the "intruders" table, PF will automatically recreate it.

If you're using text files to maintain your tables, you might want to reload the text file into your tables without restarting PF. This might be common with spam blacklists, for example; when you download the latest list of spam-spewing hosts, you want to get this into your system as soon as possible. You also want to remove old entries from the table at the same time. Use the "replace" argument for this, and also use the "-f" flag to specify the file name.

 # pfctl -t spamhosts -T replace -f /etc/spamhosts 99 addresses added 4 addresses deleted #

You can also check if a particular IP address is inside a table, using the "test" argument. Here, we check to see if a particular IP address is in our running spamhosts table.

 # pfctl -t spamhosts -T test 209.69.178.26 0/1 addresses match. #

It's not common to have to create and remove tables on the fly, but it's quite possible that you will want different types of tables for different circumstances. You can load table definitions from a file with the "load" argument. Use pfctl(8)'s -f argument to specify a file name.

 # pfctl -T load -f /etc/pf.conf

Table Statistics

PF keeps statistics on each IP address in a table. If you add the -v flag to the "show" argument, you'll get a list of each entry in the table and the number of packets that have passed through it.

 # pfctl -t rfc1918 -T show -v    10.0.0.0/8         Cleared:      1 Sun May 11 09:55:20 2003         2 In/Block:   [ Packets: 0                 Bytes: 0            ]         3 In/Pass:    [ Packets: 0                 Bytes: 0            ]         4 Out/Block:  [ Packets: 0                 Bytes: 0            ]         5 Out/Pass:   [ Packets: 0                 Bytes: 0            ] 172.16.0.0/12 ...

We can see how much data has been 2 blocked coming into the system, how much data has been 3 allowed into the system, how much data has been 4 blocked trying to go out, and how much data has been 5 allowed out. This particular system hasn't seen any traffic from the 10.0.0.0/8 network since 1 May 11 at 9:55 AM, so the counters are all zero.

To reset the counters, use the "zero" argument.

 # pfctl -t rfc1918 -T zero 1 table/stats cleared. #

PF keeps all sorts of statistics on every part of the system, and can report on almost all of its actions. If you're interested, see pf.conf(5).



Previous page
Table of content
Next page
Absolute Openbsd(c) Unix for the Practical Paranoid
Absolute OpenBSD: Unix for the Practical Paranoid
ISBN: 1886411999
EAN: 2147483647
Year: 2005
Pages: 298
Authors: Michael W. Lucas
BUY ON AMAZON
VBScript Programmers Reference
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Twisted Network Programming Essentials
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy