Pf tool for evaluating packet's path



  • Hi…

    I have some troubleshooting tasks there would be quite handy to have a simple tool, where you specify source IP (and/or incoming interface) and destination IP (and/or outgoing interface), and this pf-tool would show you the exact "path", how packet is managed through firewall and which rules have affect...

    In one case, I have no idea, why packets from Lan to opt1 are somehow blocked by one of the rules and no logical rule is there to do that, and on the other hand, packets from opt1 to Lan are not blocked, even if I apply incoming block rule on Opt1 that should normally block the packets... Some sort of tool like suggested would quickly show me, which rules are passing traffic (that should not) and which rule is blocking traffic in other case, that should not.

    Any idea? Is there anything useful yet existing?

    /jan



  • The firewall log page shows which packets are passed/blocked. If you click on the green/red icon you are told which rule was responsible. Make sure your rules have logging turned on.

    This wont cover everything you want but should be useful.



  • @sai:

    The firewall log page shows which packets are passed/blocked. If you click on the green/red icon you are told which rule was responsible. Make sure your rules have logging turned on.

    This wont cover everything you want but should be useful.

    This is exactly what I'm trying to avoid… turning on conventional logging for mass of rules...

    /jan



  • Turn on logging for just the rule you are testing.  Perhaps duplicate the rule and fine grain the ACL a bit so that you only pass packets for a "test host".



  • @sullrich:

    Turn on logging for just the rule you are testing.  Perhaps duplicate the rule and fine grain the ACL a bit so that you only pass packets for a "test host".

    I understand that and I am doing that for the most of the time. But there are situations, where you want to test the whole path of the packet and see, what happens on his way through your fw. Speccialy if you have massive bounch of rules and interfaces, this would simplify things a lot.

    Example: "What happens with packet sent from 192.169.0.6 to 192.168.1.10?"

    Output:
    Packet entered pf on interface LAN.
    Rule no. 7 affected: "pass in quick on $lan from 192.169.0.0/24 to any keep state"
    Routes table redirect to interface opt1.
    packet delivered to destination.

    You can see this way how NAT rules are set-up, how policy works so you can work in right part of your rules/NAT setup right away, without extensive searching where the heck is that damned rule, that is allowing/blocking bloody traffic…

    So, if I understand correctly, no tool exists yet...

    /jan

    P.S: BTW, Scott, what happened with my "out rules" patches? I tested all required scenarios required by Bill, but no response...



  • No idea.  As I told you before, I am not crazy about that patch and you will have to get it into the tree through someone else.  Sorry.


Log in to reply