Define hosts lookup for pf.conf

Hello,

I was wondering if there was a way to name hosts in pf.conf so when I did a pfctl -s all I could see the STATES table with hostnames instead of ip addresses. It would make troubleshooting a lot easier espcially when the STATES table starts to get real big.

Thanks a lot,

Pedro
Granada Spain

I had this trouble a while back and wrote a perl script (I called it
p-pfclt.pl) to do the name resolution.

Trying to do it inside pfctl itself (using config file directives) is
probably not a good idea (feature bloat).

-----------
#!/usr/bin/perl -w
use strict;
use Socket;

sub get_name($);

my %host;
while(<>) {
  if( /^(.*) (\d+\.\d+\.\d+\.\d+):(\d+) (.*) (\d+\.\d+\.\d+\.\d+):(\d+)
(.*)$/ ) {
    print "$1 ",
          get_name($2),
          ":$3 $4 ",
          get_name($5),
          ":$6 $7\n";
  } else {
    print "She's sucking mud..\n";
  }
}

sub get_name($) {
  my $ip = shift;

  if( ! defined $host{$ip} ) {
    if( my $n = gethostbyaddr(inet_aton($ip), AF_INET) ) {
      $host{$ip} = $n;
    } else {
      $host{$ip} = $ip;
    }
  }
  return $host{$ip};
}
-----------

Use it like:
pfctl -s state | p-pfctl.pl

ciao
dave
---
Dave Edwards

Dave,

Thanks so much for your help. I have never touched perl but I will give it a try. Still, I have other questiones:

1. What software will I need to install on the firewalll in order for this script to work?
2. Is there any danger in having this kind of software on a publically accessable firewall?


Muchas Gracias,

Pedro
Granada Spain

For question 1:

perl should be part of the base install.

 From a 4.1 box, base install, NO X, packages installed, etc.

$ perl -v

This is perl, v5.8.8 built for i386-openbsd
[cut]

The Socket module should also be there:

$ perl -e 'use strict; use Socket; print("hello\n");'
hello

For question 2:

You will need wiser heads than mine.  But I'm pretty sure the answer  
will be along the lines of "it depends" - there's danger getting out  
of bed and crossing the road ...

On 18/09/2007, at 6:35 PM, pichi wrote:

The Socket module should also be there:

$ perl -e 'use strict; use Socket; print("hello\n");'
hello


Thanks,

I have perl installed:

$perl -v

$This is perl, v5.8.8 built for i386-openbsd

but it looks like I dont have the socket module becuase when I do:

$perl -e

I get:

$No code specified for -e.

How can I add that module, and again, is is it safe for a publically accessable firewall?

Many thanks from the newby,

Pedro

It's telling you exactly what's wrong - you have not specified any  
code for the -e option.

man perl:

SYNOPSIS
        perl [ -sTuU ] [ -hv ] [ -V[:configvar] ]
            [ -cw ] [ -d[:debugger] ] [ -D[number/list] ]
            [ -pna ] [ -Fpattern ] [ -l[octal] ] [ -0[octal] ]
            [ -Idir ] [ -m[-]module ] [ -M[-]'module...' ]
            [ -P ] [ -S ] [ -x[dir] ]
            [ -i[extension] ] [ -e 'command' ] [ -- ] [ programfile ]  
[ argu-
        ment ]...

In the code snippet I sent I specified some code that tried to pull  
in the Socket module (I just copied the first two perl lines of  
David's script):

$ perl -e 'use strict; use Socket; print("hello\n");'

perl -e on its own will raise the error you have seen.

If a module is missing you will get something along the lines of:

perl -e 'use no-such-module;'
Can't locate no.pm in @INC (@INC contains: [cut blah-blah-blah]) at -
e line 1.
BEGIN failed--compilation aborted at -e line 1.

But we are wandering well outside the realms of OpenBSD and into  
perl.  Try http://www.perlmonks.org/ or http://www.perl.com/ as  
starting points.

On 19/09/2007, at 3:21 AM, pichi wrote:

You're welcome.

> 1. What software will I need to install on the firewalll in
> order for this script to work?

Perl is part of the default install.  If you save the script
somewhere in your path (/usr/local/bin/ works) and make it
executable (chmod 755 whatever_you_call_it.pl), then you will
be able to call it like:

# pfctl -s state | whatever_you_call_it.pl

> 2. Is there any danger in having this kind of software on a publically
> accessable firewall?

Perl is kick-ass magic that once you're half way up
the learning curve, you wonder how the hell you ever
lived without it..

In my view, there is no risk in having it installed on a
firewall and there are many benefits.  Frankly I'd be
amazed if it isn't already there :-)

ciao
dave
---
Dave Edwards

Please try to keep track of who said what..  The above came
from a post by Richard Toohey [richardtoohey@...]

> but it looks like I dont have the socket module becuase when I do:
>
> $perl -e
>
> I get:
>
> $No code specified for -e.

This is answered in another post..

Pedro, You probably won't get too much more hand-holding
here.  You really should have a good look at the tools
available to you before you post to this list.

"man" is your friend, google is your library index.

> How can I add that module, and again, is it safe for a publically
> accessable firewall?

I'm a bit worried about this term "publicly accessible firewall",
it's a contradiction in terms.  Firewalls should be nearly invisible,
certainly not public ally accessible.

Perl and the enormous number of modules available for Perl are
tools that can be used on firewalls for administration and although
"bare bones" is a good way to build a firewall (from general
principles), you do need certain tools to manage it.  Perl is
one tool that I would miss greatly if it were removed.

Perl does not listen on the network so it cannot be attacked
directly.  Any risk is related to the ability of an
attacker to use Perl to their advantage after they have
already compromised your firewall.  If they own your
firewall, all bets are off and the lack of Perl is
unlikely to even slow them down.

Again, IMHO, there is no risk to installing Perl and
any modules you require on a firewall.

Having said that, it's good that you are cautious :-)

ciao
dave
---
Dave Edwards

>Pedro, You probably won't get too much more hand-holding
>here.  You really should have a good look at the tools
>available to you before you post to this list.

>"man" is your friend, google is your library index.

Gentelmen,

Sorry if I ran into the Big Boys forum crying. I will be more cautious about what I ask next time. Is there a forum for people who are starting out with OpenBSD? The thing is I am new to it and I am in a situation where reading pages and pages of Google is taking a lot of time away from making it work. But just working a few days with this OS I can see that its very solid and worth the many hours of searching for documentation.

>I'm a bit worried about this term "publicly accessible firewall",
>it's a contradiction in terms.  Firewalls should be nearly invisible,
>certainly not public ally accessible.

I meant that one of the interfaces was routable on the Internet, not sitting at a table in Starbucks. And your right I try and keep it as invisable as possible.

>Perl and the enormous number of modules available for Perl are
>tools that can be used on firewalls for administration and although
>"bare bones" is a good way to build a firewall (from general
>principles), you do need certain tools to manage it.  Perl is
>one tool that I would miss greatly if it were removed.

I cant wait to get perl working for me. It sounds wonderful. Time....time.

>Having said that, it's good that you are cautious :-)

Thanks Dave. My boss alway say "Be paraniod"

Hasta luego,

P.

pichi wrote:
>
> Sorry if I ran into the Big Boys forum crying. I will be more cautious about
> what I ask next time. Is there a forum for people who are starting out with
> OpenBSD?

Read all of this page, noting the word 'Newbies'
http://www.openbsd.org/faq/faq2.html#MailLists

> The thing is I am new to it and I am in a situation where reading
> pages and pages of Google is taking a lot of time away from making it work.

Now you are crying like a girl. Your problems are not this list's problems.

pichi wrote:
> Sorry if I ran into the Big Boys forum crying. I will be more cautious about
> what I ask next time. Is there a forum for people who are starting out with
> OpenBSD? The thing is I am new to it and I am in a situation where reading
> pages and pages of Google is taking a lot of time away from making it work.
> But just working a few days with this OS I can see that its very solid and
> worth the many hours of searching for documentation.

If you are new, then start by reading the most excellent FAQ, all of it,
and it will take you less time then searching Google for hours. It's the
place to start. Then if you wan to know more about a special function,
the man page are more then excellent.

The difference you will find here on OpenBSD is that the developers are
spending an incredible amount of time to make excellent man page and as
you will see in the FAQ, if the man page is not exact, or represent
what's the system is doing, that is consider a bug and they will fix it
right away.

As for the FAQ, Nick is really a hero if you asked me for the quality of
the FAQ that he put together and how well he keeps it up to.

So, forget about Google for now and start with the FAQ, then the man
page and if you have a very good question after that, then Google is
your friend.

You may simply not be use to a system that also have the quality of the
documentation equal to it's own source.

OpenBSD is second to none when it comes to documentations.

Try it, you will see.

Best of luck,

Daniel

On Wed, 19 Sep 2007, Craig Skinner wrote:
SNIP
> Now you are crying like a girl. Your problems are not this list's problems.

Craig

I find that statement incredibly offensive.  I think a more appropriate
statement is:
"Now you are crying like a closeted cross-dressing British man"

diana

On Wed, Sep 19, 2007 at 06:51:19AM -0600, Diana Eichert wrote:
> On Wed, 19 Sep 2007, Craig Skinner wrote:
> SNIP
> >Now you are crying like a girl. Your problems are not this list's problems.
>
> Craig
>
> I find that statement incredibly offensive.  I think a more appropriate
> statement is:
> "Now you are crying like a closeted cross-dressing British man"

wait that is no better!
how about:
"unshaved bloody communist!"
cu
--
    paranoic mickey       (my employers have changed but, the name has remained)

Diana Eichert wrote:
You should not talk about your husband like that.

> wait that is no better!
> how about:
> "unshaved bloody communist!"

This statement is offensive to creatures like me, whose main food
source is fresh blood.

Miod

On Wed, 19 Sep 2007, Craig Skinner wrote:

> Diana Eichert wrote:
>>B
>> I find that statement incredibly offensive.  I think a more appropriate
>> statement is:
>> "Now you are crying like a closeted cross-dressing British man"
>
> You should not talk about your husband like that.

Geez, what planet rock did you crawl out from underneath?  I think I've
been the out lesbian on misc@ for years.

Actually I was thinking about your poor wife when I wrote that.

diana

On Wed, 19 Sep 2007, Miod Vallat wrote:

>> wait that is no better!
>> how about:
>> "unshaved bloody communist!"
>
> This statement is offensive to creatures like me, whose main food
> source is fresh blood.
>
> Miod

fresh pom blood perchance?

Diana Eichert wrote:
> Geez, what planet rock did you crawl out from underneath?  I think I've
> been the out lesbian on misc@ for years.
>
> Actually I was thinking about your poor wife when I wrote that.
>

Don't bother, none of my current wives are lesbians, they'll not return
the favor. ;-)

> fresh pom blood perchance?
>

        Fresh luser blood.
 
Non Ex Transverso Sed Deorsum...

Now, please return to discussing openbsd...

-Bob