OpenBSD Journal

UI Tools for PF

Contributed by jose on from the making-blocked-packets-pretty dept.

A few tools have appeared lately to give a GUI interface to the OpenBSD packet filter PF . Daniel Hartmeier, the author of PF, has written pfstat . It sports MRTG like graphs of incoming packets, bits, and states. FWBuilder supports UI based rule generation for many firewalls, including PF. Lastly, my own tool fw-mon may be worth mentioning. It's far more kludgey than PFstat, though, but shows logged packets and also uses arpwatch to monitor my network. PFstat generates far more attractive graphs.

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    I was looking for such a tool for a long time, and was too lazy to write it myself... Thank you folks !

  2. By Anonymous Coward () on

    http://www.dshield.org/framework.html has a link to an OpenBSD PF client for submitting firewall logs to them.

  3. By Gunnar Wolf () gwolf@gwolf.cx on http://www.gwolf.cx

    Although not a UI tool, this one also deserves mention: http://www.hlfl.org/ looks quite nice for many people's needs. It defines a common filter definition language, from which it can translate to the commands used by ipfilter, ipfw and netfilter/iptables. Yes, it does not (explicitly) support OpenBSD's PF, but the syntax is similar enough to ipfilter that I'm sure it can also be used.

  4. By pravus () on

    anyone know of a pf log analyzer for giving stats? i'm thinking something that would give you summaries of which ports/ips where logged, etc... you might have something like:

    BLOCK udp/139 99%
    BLOCK tcp/113 1%

    IP's BLOCK'd
    x.x.x.x udp/139
    y.y.y.y udp/139
    ...

    or whatever. it should be pretty easy to do. just pipe the tcpdump output into awk/sed/perl. but i'm too lazy and i figure someone else has probably done it for me.

    Comments
    1. By Anonymous Coward () on

      See tcpstat in the ports tree.

      It gathers statistics from tcpdump (or tcpdump logfiles) based on ip, port, protocol, whatever.

    2. By Anonymous Coward () on

      http://tud.at/programm/fwanalog/

    3. By schwack () on

      its also worthwile to note that:

      pfctl -sa

      shows some passed/dropped stats

      Using snort to process /var/log/pflog would also give interesting stats. tcp/udp %'s and more. In addition, snort's output format for displaying headers is much more uniform than tcpdump accross different packet types, making it much easier to awk/sed filter it as you suggested.

  5. By Anonymous Coward () on

    I'd like to gather per ip statistics on a bridge interface and graph them via mrtg or something similar....any ideas?
    Most every utility I've found (snmpd, pf) gathers statistics based only on interface and not by IP address. I currently have pf logging all packets and a cronjob parsing/rotating the log file every 5mins to acheive this...but its quite nasty.

    Comments
    1. By Anonymous Coward () on

      traflog in the ports.

      Trouble is, it is a screen based output, not a logfile based output. Great little program, you can set the refresh time to 600 seconds for a list of the top hosts in 10 minutes.

      Comments
      1. By Anonymous Coward () on

        Yeah, same with trafshow and ntop in the ports...
        Doesn't fit my application.

  6. By Anonymous Coward () on

    Does this work for anyone? I must be doing something wrong. here is a snippet of pfstat:
    reading data file /var/log/pfstat:
    1027473061 1027472110 0 0 0 0 0 0 0 0 0 0 0 0 0 10355 49 49 12 0 0 0 0 0
    1027473121 1027472110 0 0 0 0 0 0 0 0 0 0 0 0 0 11227 49 49 12 0 0 0 0 0
    1027473181 1027472110 0 0 0 0 0 0 0 0 0 0 0 0 0 11384 49 49 12 0 0 0 0 0
    1027473241 1027472110 0 0 0 0 0 0 0 0 0 0 0 0 4 12039 55 51 12 0 0 0 0 0
    1027473301 1027472110 0 0 0 0 0 0 0 0 0 0 0 0 1 12606 56 55 12 0 0 0 0 0
    1027473362 1027472110 0 0 0 0 0 0 0 0 0 0 0 0 2 13277 58 56 12 0 0 0 0 0

    When I run it I get the following:

    generating image file /home/ftp/pub/1hours.jpg
    m[0] == 0.000000
    m[1] == 0.000000
    generating image file /home/ftp/pub/12hours.jpg
    m[0] == 0.000000
    m[1] == 0.000000
    generating image file /home/ftp/pub/day.jpg
    m[0] == 0.000000
    m[1] == 0.000000
    generating image file /home/ftp/pub/month.jpg
    m[0] == 0.000000
    m[1] == 0.000000
    generating image file /home/ftp/pub/week.jpg
    m[0] == 0.000000
    m[1] == 0.000000
    generating image file /home/ftp/pub/year.jpg
    m[0] == 0.000000
    m[1] == 0.000000

    Does m == 0.0000 mean no data?

    Comments
    1. By Anonymous Coward () on

      The only thing I can get it to graph is states (no incoming/outgoing, blocks, passes, etc). I run current and I have noticed that the pfctl -s outputs don't show this info. I thought, but cannot remember for sure, that pfctl used to output this info. That might be the problem.

      Comments
      1. By Anonymous Coward () on

        I figured out my problem and it may be yours too. If you are running current, then you need to put set loginterface xl0 (or whatever your interface is). This will allow the appropiate stats to be logged. I guess I should have read the source changes.

        Comments
        1. By Daniel Hartmeier () daniel@benzedrine.cx on http://www.benzedrine.cx/pf.html

          Yes, you have specify what interface to gather the statistics for. With 3.1-stable and prior, it's pfctl -l , and with -current its 'set loginterface ' in pf.conf. That's probably worth mentioning in the man page :)

  7. By Peter Boosten () pboosten@hotmail.com on mailto:pboosten@hotmail.com

    How does one compile this thing?

    I've downloaded gd-1.8.4, freetype-1.3.1, installed jpeg-6b and png-1.2.1 packages, yet still my compile fails.

    Am I forgetting something?

    Comments
    1. By Daniel Hartmeier () daniel@benzedrine.cx on http://www.benzedrine.cx/pf.html

      You have to install graphics/gd from ports (which will install the dependancies as well).

      What's the compile error?

      Comments
      1. By Peter Boosten () pboosten@hotmail.com on mailto:pboosten@hotmail.com

        It wasn't actually an compile-error, but link-errors:

        (from memory):

        Cannot reference _gdDrawLine

        (don't know if this is the exact function, but I got several of them, around 20-30).

        I'll try to install gd from ports tonight.

        Thnx.

      2. By Bob Dawg () bobdawg@dog.com on mailto:bobdawg@dog.com

        Hello Daniel

        Are you going to make an OpenBSD port/package for
        this? While reading the man page I saw at the
        bottom where it was/will be included in OpenBSD
        3.?. I don't see anyway this will get integrated
        into the base O/S install due to it's dependency
        on GD.

        Comments
        1. By Jeffrey () on

          he actually posted a port (net/pfstat) to ports@ ... i tried it, and it seems to work fine. in fact, i should send a reply about the success.

  8. By Mastermind () stefan.kaltenbrunner@fh-sbg.ac.at on mailto:stefan.kaltenbrunner@fh-sbg.ac.at

    pfstat looks really nice and is quite fast, but what's really missing is some sort of graphing depending on labels.
    Support for pf-labels would allow graphs for all kinds of different services or IP-ranges an so on.

  9. By Another alternative () on

    http://rousse.pm.org/sasacct

    (not tested by me, btw)

    Comments
    1. By Anonymous Coward () on

      I wouldn't suggest it.
      when you look at the code, it gathers statistic with disabeling and enabeling the firewall.
      I don't think this is a good idea.
      I dropped it for that.

      Comments
      1. By Anonymous Coward () on

        maybe to zero the counters
        i have such a script wich makes
        pfctl -s rules -v and didn't find
        another way to do it.
        And BTW this is not the option to count
        the traffic. It gives strange results
        with multialiased interfaces.

        Comments
        1. By Anonymous Coward () on

          Try: pfctl -z -F info -F rules -R -f /etc/pf.conf (in 3.2)

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]