OpenBSD Journal

Pftop 0.5 released

Contributed by mbalmer on from the know-your-pf-rules dept.

Can E. Acar writes:

Finally I had enough time to work on pftop to make a new release. It is available from the pftop homepage and already committed to the ports tree.

I had intended this one to be a bugfix release. In fact, I had such a release candidate running for a long time, waiting for me to pack it up and release it. The only 'feature' was to be the HFSC display on the queue page, contributed long time ago by Jared Spiegel.

However, I am using rulesets a lot in my pf configurations and the lack of ruleset display in pftop have always bothered me. At the last minute, I have decided to give it a try. In order to keep it simple, I have decided to recursively process the rulesets and ignore the anchor statements. Well, it worked better than I expected, I had to add an 'anchor' column next to rule number. While there, I made the anchor and label columns dynamically resize themselves. Wow.

Ok, time to release. After uploading the release tarball and updating the homepage, I have also updated the port and sent a diff to ports@ for review. It was a bit surprising to notice that it was almost 5:00 AM. When I woke up, I already had a couple of ok's for the port. So the port is committed and all is ready to go.

Have fun.

(Comments are closed)


Comments
  1. By Anonymous Coward (81.57.42.108) on

    Very nice and usefull !

    By the way, why wasn't this tool accepted (whas it even proposed) for inclusion on the OpenBSD tree ? Are there hidden caveats ?

    Comments
    1. By Simon K. (84.57.68.59) on

      This would be very nice indeed! pftop is really cool :)

    2. By Anonymous Coward (65.198.20.164) on

      Yes, pftop is very usefull! So far, I have found it the best program out there for seeing in realtime what's going on behind the scenes in PF.

      I don't see why this isn't in OpenBSD base. It's a great program. Are there techical issues or any other reason as to why it's not in base?

      Comments
      1. By em (195.212.29.187) on

        I don't share your opinion. Yes it is definitely great application. Even though there is no reason to implement it into next version of OpenBSD 3.9. I think that in secured OS by default should be only absolutely necessary applications and PFTOP is not like this. Anyway if you need it you can install it any time, it's easy. If you implement pftop you can have some new potentional security bugs and this is not goal of OpenBSD isn't it? :)

        Comments
        1. By Brad (216.138.195.228) brad at comstyle dot com on

          The license of Sendmail X is unacceptable so it definitely will not be going in.

          Comments
          1. By Anonymous Coward (142.166.105.158) on

            For #%?#8's sake. It seems the providers of every single external component are going license-mad, one by one. Dealing with this *must* really be starting to bug you guys at this point...

      2. By Can E. Acar (81.215.23.66) on

        You need to have really good reasons to add programs to base, and 'why not' is not one of them :)

        Whether pftop is in base or not is really not that important. It is a small package that you can add to your sistem in no time. Since pfctl provides all the status information that pftop shows, it can not be considered essential.

        Technically, since pftop queries the kernel every couple of seconds, you might see some extra load or performance problems on busy firewalls (ie. lots and lots of states) when running pftop.

        From the security point of view, since no set[ug]id bit is involved and all the input comes from the pf structures in kernel, it would be very very hard to use pftop for breaking into a system. On the other hand, leaving pftop running on a root console/terminal is probably a mistake :)

        I try my best to code cleanly and carefully, but I am sure it still has some bugs and problems. The code is out there, so please check it out and let me know if you find any.

  2. By Anonymous Coward (158.38.68.154) on

    Add this one to OpenBSD 3.9! :-)

  3. By ExY (85.100.18.3) on

    Thanks for your great efforts.
    Very useful for us to view realtime statistics of pf.
    Great job.

  4. By Matty (24.98.83.96) on http://daemons.net/~matty

    I would love to see pftop added to the base OpenBSD system. This is one of my favorite pieces of software, and I am sure most PF admins would love to have this installed by default.

    Thanks,
    - Ryan

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]