Lavigne bsdmag may13
0 likesā¢548 views
This article explores utilities that can help analyze and visualize information from a PF firewall, including pftop, pflogx, and pfstat. Pftop provides a real-time display of the PF state table and rule statistics. Pflogx converts PF log files to XML format, which can then be transformed to HTML or CSV. Pfstat automatically generates graphs from PF statistics over time. These third-party utilities provide additional views of PF firewall data beyond the standard PF tools.
Lavigne bsdmag may13
- 1. 05/201320 How To Useful Utilities for PF This article explores some of the third-party utilities which are available to help you analyze the log and state table of a PF firewall. What you will learnā¦ ā¢ How to view the PF state table in real time ā¢ How to convert the PF log to HTML format or graph format What you should knowā¦ ā¢ How to restart PF ā¢ How to install third-party software on your BSD system T he PF firewall is developed by the OpenBSD Proj- ect. PF has also been ported to FreeBSD, NetBSD, and DragonFly BSD. You can learn more about PF and its features in the PF Userās Guide at http://www. openbsd.org/faq/pf/. PF is a stateful firewall, meaning that it tracks the state of existing connections in a state table, allowing the fire- wall to quickly determine if packets are part of an es- tablished connection. PF also provides a logging facility and the firewall administrator controls which packets get logged by including the log keyword in only the firewall rules which should be logged when matched. PF provides the pfctl utility for displaying the state ta- ble and the built-in tcpdump utility can be used to view the PF log. In addition to these tools, some third-party pack- ages can be installed on BSD systems. These can be used to manipulate information from the state table and the PF logging facility in order to get a different view on what is happening with the firewall. This article provides an overview of the following utilities: pftop, pflogx, and pfstat. These utilities were tested on a PC-BSD system and the utilities were installed using FreeBSD packages. This article assumes that you already know how to restart PF and how to install software on your BSD system using packages, ports, or pkgsrc. pftop ā¢ Website: http://www.eee.metu.edu.tr/~canacar/pftop/ ā¢ Availability: pkgsrc, FreeBSD and OpenBSD packages ā¢ Description: provides real time display of PF state ta- ble and rule statistics This utility is similar to top as it provides a real time, co- lumnar display. However, instead of displaying the top processes running on the system, it displays real time information about the current connections in the PF state table. Listing 1. pfctl View of State Table pfctl -s states all tcp 192.168.1.71:19348 ā 204.152.184.134:21 ESTABLISHED:ESTABLISHED all tcp 192.168.1.71:34852 ā 204.152.184.134:42342 ESTABLISHED:ESTABLISHED all udp 192.168.1.71:5353 ā 224.0.0.251:5353 SINGLE:NOTRAFFIC (snip rest of output...)
- 2. 05/201322 How To Figure 1. Default pftop Display Figure 2. Viewing Loaded Rules Using pfctl
- 3. www.bsdmag.org 23 Useful Utilities for PF Typically, the state table is read using pfctl as seen in the following example. This output is from a PC-BSD sys- tem that is downloading a PBI using AppCafe. Figure 1 shows the same state table. This time, the dis- play is generated by typing pftop. In order, the columns in this default view list the proto- col (TCP or UDP), the direction (into the system or out of the system), the source address and socket, the destina- tion address and port, the state of the connection, the age of the connection, how long until that connection expires from the state table, the number of packets in that connec- tion, and the number of bytes transferred. pftop also provides a view for displaying which rules are currently loaded. First, Figure 2 shows which firewall rules have been loaded using the built-in pfctl. Next, Figure 3 shows the same rules, this time viewed using pftop. This display adds information such as the number of packets, bytes, and established connections (states) associated with each rule. pftop also provides an interactive mode where key- strokes can be used to modify the view, sort the column order, change the number of lines to display, and to pause or restart the display. Display filters can also be created using tcpdump syntax. Refer to pftop(8) for details. pflogx ā¢ Website: http://akldev.free.fr/pflogx/ ā¢ Availability: FreeBSD and OpenBSD packages ā¢ Description: generates an XML file from a PF log which can then be optionally transformed into HTML or csv format PF writes its logs in a binary format, meaning that they cannot be read using head, tail, more, less, or an editor. While the logs can be read in real time using the com- mand tcpdump -n -e -ttt -i pflog0, it is sometimes con- venient to convert the logging information to another for- mat in order to study it and analyze trends. pflogx ren- ders the PF log in XML format and includes the ability to transform the XML into HTML or csv format. Optionally, the generated XML file can be passed to other third-par- ty tools for conversion to other formats. In order to use pflogx, the PF logging module must be loaded and at least one rule in the PF rulebase must in- clude the log keyword. You can double-check that log en- tries exist by typing pflogx -i /var/log/pflog. As seen in this example, this command displays the log entries to the screen: Listing 2. Figure 3. Viewing Loaded Rules Using pftop
- 4. 05/201324 How To To instead save the log to an XML file, after the input (-i /var/log/pflog), specify the name of the output file (-o filename.xml). Optional filters can be placed between the input and out- put. They can be defined by action (-a pass or -a drop), di- rection (-d in, -d out, or -d in-out), protocol (-p icmp, -p ip, -p tcp, or -p udp), and interface (-n interface_name). If a filter is not included, all packets in the input log file will be generated to the output XML file. Several filter ex- amples can be found in the README file that is installed with pflogx. The package installs several XSLT files which are used to transform the XML file to HTML, XHTML, or csv format. To transform a generated XML file, copy it to the directory Listing 2. Sample XML File pflogx -i /var/log/pflog <?xml version=ā1.0ā encoding=āUTF-8ā?> <pflogx version=ā0.86ā > <logs> <log date=ā2013-04-23 12:43:48.261661ā if=āem0ā action=ādropā rule=ā2ā direction=āinā protocol=āudpā src_ adr=ā205.233.73.201ā src_port=ā123ā dest_adr=ā192.168.1.71ā dest_port=ā123ā /> <log date=ā2013-04-23 12:44:24.41857ā if=āem0ā action=ādropā rule=ā2ā direction=āinā protocol=ā(2)ā src_ adr=ā192.168.1.254ā src_port=āā dest_adr=ā224.0.0.1ā dest_port=āā /> <log date=ā2013-04-23 12:46:29.44070ā if=āem0ā action=ādropā rule=ā2ā direction=āinā protocol=ā(2)ā src_ adr=ā192.168.1.254ā src_port=āā dest_adr=ā224.0.0.1ā dest_port=āā /> <log date=ā2013-04-23 12:47:50.298105ā if=āem0ā action=ādropā rule=ā2ā direction=āinā protocol=āudpā src_ adr=ā192.168.1.71ā src_port=ā138ā dest_adr=ā192.168.1.255ā dest_port=ā138ā /> <log date=ā2013-04-23 12:47:50.298145ā if=āem0ā action=ādropā rule=ā2ā direction=āinā protocol=āudpā src_ adr=ā192.168.1.71ā src_port=ā138ā dest_adr=ā192.168.1.255ā dest_port=ā138ā /> (rest of output snipped....) Figure 4. Sample PF log in HTML Format
- 5. 05/201326 How To containing these files. On a FreeBSD or PC-BSD system, these files are located in /usr/local/share/examples/ pflogx/. In the generated XML file, the first line should be: <?xml version=ā1.0ā encoding=āUTF-8ā?> Insert a second line that contains the name of the XSLT file. For example, to transform to HTML, add this line: <?xml-stylesheet type=ātext/xslā href=āexport_html.xslā?> Save the edit and you should now be able to view the XML file in a web browser, as seen in the example in Figure 4. pflogx provides a merge option (-m) which can be used to append new log entries to an existing XML file, allowing you to visualize the transformed log over time. pfstat ā¢ Website: http://www.benzedrine.cx/pfstat.html ā¢ Availability: pkgsrc, FreeBSD and OpenBSD packages ā¢ Description: automatically generates graphs from PF statistics If you prefer to visualize the PF logs in a graph format, install pfstat. Once installed, create its log directory and log file if they do not exist: # mkdir /var/log/pflog # touch /var/log/pflog/pflog Next, create a configuration file named /usr/local/etc/ pfstat.conf. This file controls which graphs get creat- ed. A comprehensive file with comments on the various graphs it creates can be downloaded from http://www. benzedrine.cx/pfstat.conf. The following example shows a simpler configuration file which creates two graphs: one displays bandwidth in bits per second and the oth- er charts the state table. Edit the text in red to point to an existing directory path. The filename (e.g. bandwidth. jpg) should not already exist in the specified directory as pfstat will generate it for you. Next, type crontab -e as the superuser to edit the root userās crontab. Add the following line: */5 * * * * /usr/local/bin/pfstat -q >> /var/log/pfstat Listing 3. Sample pfstat Configuration # more /usr/local/etc/pfstat.conf collect 1 = interface āem0ā pass bytes in ipv4 diff collect 2 = interface āem0ā pass bytes out ipv4 diff image ā/usr/home/dru/bandwidth.jpgā { from 7 days to now width 1000 height 400 left graph 1 bps āinā ābits/sā color 0 192 0 filled right graph 2 bps āoutā ābits/sā color 0 0 255 } collect 3 = global states entries image ā/usr/home/dru/states.jpgā { from 12 months to now width 800 height 200 left graph 3 āstatesā āentriesā color 200 0 0 } Figure 5. Sample Graph
- 6. www.bsdmag.org This instructs pfstat to query the logging interface ev- ery five minutes and to store the received logging infor- mation in its own database, which it uses to generate graphs. Finally, add this line to the beginning of /etc/pf.conf in order to set the logging interface. Replace em0 with the name of the interface you wish to collect statistics on. Re- start the PF firewall after saving this edit. set loginterface em0 Wait a bit (at least five minutes) to allow pfstat to add logging information to its database. The amount of infor- mation added to the database will depend upon how of- ten a logged rule matches the criteria you have config- ured pfstat to graph. Whenever you want to generate a graph, type pfstat -p. This instructs pfstat to read the entries in its data- base and to generate the images to the locations that you specified in /usr/local/etc/pfstat.conf. Figure 5 shows a sample /usr/home/dru/bandwidth.jpg from the configu- ration file above, after running pfstat for one day on a home desktop system. pfstat(8) provides some more information on how to use pfstat, remove old entries from the database, and query a remote host running pfstatd. Summary pftop, pflogx, and pfstat can be used to help the admin- istrator visualize the traffic flowing through a PF firewall. These utilities are easy to install and configure. If you are using the PF firewall, consider adding them to your admin- istrative toolkit. Dru Lavigne Dru Lavigne is author of BSD Hacks, The Best of FreeBSD Basics, and The Definitive Guide to PC-BSD. As Director of Communi- ty Development for the PC-BSD Project, she leads the documen- tation team, assists new users, helps to find and fix bugs, and reaches out to the community to discover their needs. She is the former Managing Editor of the Open Source Business Resource, a free monthly publication covering open source and the com- mercialization of open source assets. She is founder and cur- rent Chair of the BSD Certification Group Inc., a non-profit orga- nization with a mission to create the standard for certifying BSD system administrators, and serves on the Board of the FreeBSD Foundation.