Reviewing /var/log/pflog contents

I use pf as my packet filter. Everything blocked gets logged to /var/log/pflog.conf

Late last week, I noticed my rules were allowing everything in on one interface. I changed that. Overnight I see that my Let’s Encrypt certificate renewals failed. Nagios also tells me that the DNS servers are not in sync.

I suspect firewall rules.

Reviewing pflog

It is because I use:

  • block log all in /etc/pf.conf
  • pflog_enable=”YES” in /etc/rc.conf

that I can go back and look at blocked packets from overnight.

This took me a while to figure out how to do this. I’ve done it before but I’ve never written it down. I tried a number of searches and eventually found How to view pflog.

I know the IP address of the DNS hidden master server. Here, I grep for that in the log:

[dan@slocum:~] $ sudo tcpdump -n -e -ttt -r /var/log/pflog | grep 192.0.2.53 | head
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)[sourcecode]
 00:03:18.837991 rule 0/0(match): block in on ix2: 198.51.100.85.48786 > 192.0.2.53.53: Flags [S], seq 3283303897, win 65535, options [mss 1357,nop,wscale 6,sackOK,TS[|tcp]>
 00:00:03.004121 rule 0/0(match): block in on ix2: 198.51.100.85.48786 > 192.0.2.53.53: Flags [S], seq 3283303897, win 65535, options [mss 1357,nop,wscale 6,sackOK,TS[|tcp]>
 00:00:03.212829 rule 0/0(match): block in on ix2: 198.51.100.85.48786 > 192.0.2.53.53: Flags [S], seq 3283303897, win 65535, options [mss 1357,nop,wscale 6,sackOK,TS[|tcp]>
 00:00:03.200515 rule 0/0(match): block in on ix2: 198.51.100.85.48786 > 192.0.2.53.53: Flags [S], seq 3283303897, win 65535, options [mss 1357,nop,wscale 6,sackOK,TS[|tcp]>
 00:00:03.201335 rule 0/0(match): block in on ix2: 198.51.100.85.48786 > 192.0.2.53.53: Flags [S], seq 3283303897, win 65535, options [mss 1357,nop,wscale 6,sackOK,TS[|tcp]>
 00:00:03.199706 rule 0/0(match): block in on ix2: 198.51.100.85.48786 > 192.0.2.53.53: Flags [S], seq 3283303897, win 65535, options [mss 1357,nop,wscale 6,sackOK,TS[|tcp]>
 00:00:06.200597 rule 0/0(match): block in on ix2: 198.51.100.85.48786 > 192.0.2.53.53: Flags [S], seq 3283303897, win 65535, options [mss 1357,nop,wscale 6,sackOK,TS[|tcp]>
 00:00:12.199869 rule 0/0(match): block in on ix2: 198.51.100.85.48786 > 192.0.2.53.53: Flags [S], seq 3283303897, win 65535, options [mss 1357,nop,wscale 6,sackOK,TS[|tcp]>
 00:00:24.201316 rule 0/0(match): block in on ix2: 198.51.100.85.48786 > 192.0.2.53.53: Flags [S], seq 3283303897, win 65535, options [mss 1357,nop,wscale 6,sackOK,TS[|tcp]>
 00:01:04.116342 rule 0/0(match): block in on ix2: 198.51.100.85.64767 > 192.0.2.53.53: Flags [S], seq 848048006, win 65535, options [mss 1357,nop,wscale 6,sackOK,TS[|tcp]>
tcpdump: Unable to write output: Broken pipe
[dan@slocum:~] $ 

Right there… it’s blocked. My firewall isn’t allowing incoming queries from the other DNS servers.

Fixing that

I found this rule:

# allow DNS hidden master to do its stuff
pass quick on $LAN_IF inet proto udp from <DNS_SLAVES> to $DNS_HIDDEN_MASTER port domain

It took me a bunch of looking to figure this out. But then I changed it to:

# allow DNS hidden master to do its stuff
pass in quick on $LAN_IF inet proto {tcp, udp} from <DNS_SLAVES> to $DNS_HIDDEN_MASTER port domain

A few more tests, and I added lines to allow the slaves to contact us.

pass in  quick on $LAN_IF inet proto {tcp, udp} from <DNS_SLAVES>       to $DNS_HIDDEN_MASTER port domain
pass out quick on $LAN_IF inet proto {tcp, udp} from $DNS_HIDDEN_MASTER to <DNS_SLAVES>       port domain

Why, yes, I do like column aligned rules. Why do you ask?

I find it makes it much easier to verify the rules are symmetric.

pf has great flexibility

This is where you leave a comment showing a better way to do this.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top