Re: pfctl - show port numbers
From: Henning Brauer (lists-openbsdbsws.de) Date: Sun Dec 02 2007 - 14:45:37 CST * MikeM the.listsmgm51.com [2007-12-02 15:35]: When I run the command pfctl -sr a list of the rules is displayed, a sample line is below. pass in log quick on fxp0 inet proto tcp from 226.174.167.164 to (fxp0) port = smtp flags S/FSRA keep state Is there a way for me to tell pfctl that I want to see port = 25 instead of port = smtp ? short of hacking pfctl source, no. -- Henning Brauer, hbbsws.de, henningopenbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam Thank-you! I see the change was made in 5.1. Yea. No more hacking print_ports()!
Re: pfctl - show port numbers
On 12/4/2007 at 6:53 PM Henning Brauer wrote: |actually, if I were to implement these parts now I'd make it print port |numbers only and not names = That's what I plan to do when I change the code.I don't need the command line option part because I have never needed the name info for the ports in the other commands that support the option capability. So if I am going to customize the pfctl code, I'll want to keep it as contained as possible. (though the perl options look intriguing. :) I use OpenBSD as the firewall/router on the cable modem for my little home network. Nothing real serious. While my suggestion is helpful to me and my uses, I'm sure the developers have more important features to implement. That's why I just presented my reasons and went quiet...
Re: pfctl - show port numbers
hmm, on Mon, Dec 03, 2007 at 02:24:05PM -0500, MikeM said that toggle between symbols and numbers (e.g., -n for netstat or tcpdump) it may be helpful as well. That's the main reason why I originally though +1 one man's worthless feature is other man's best friend. please put it in... -f -- every silver lining has a cloud.
Re: pfctl - show port numbers
On 14:45:41 Dec 04, frantisek holop wrote: +1 one man's worthless feature is other man's best friend. please put it in... No use shouting yourself hoarse over this. If it is a no , it is a no. I later realized that nobody can satisfy everyone's needs and it is impossible to ever get total buy in in anything. We have to respect the developer's decisions. And I myself am quite convinced that it is not worthwhile to add this. No offense meant. -Girish
Re: pfctl - show port numbers
hmm, on Tue, Dec 04, 2007 at 09:47:17PM +0530, Girish Venkatachalam said that On 14:45:41 Dec 04, frantisek holop wrote: +1 one man's worthless feature is other man's best friend. please put it in... No use shouting yourself hoarse over this. shouting? are you serious? If it is a no , it is a no. I later realized that nobody can satisfy everyone's needs and it is impossible to ever get total buy in in anything. We have to respect the developer's decisions. Henning has not used the word no, yet. he might sleep on it and commit it tommorrow. or never, i dont know. but if people don't tell him that it can be useful, he'll never know, because it is useless to him. and when it comes up 4 years from now he'll say, oh, it's trivial but noone told me it's useful. things like this happen all the time, decisions may change based on new info. and last but not least, it is in line with the other network tools (so i hope Henning will have a good night's sleep) and as an added bonus, patch was attached. -f ps. maybe some day some people on this list will stop defending the devs as if they couldn't speak for themselves (they can) or couldn't shout at those pesky lusers themselves (oh hell, they can). -- i plan to live forever or die trying.
Re: pfctl - show port numbers
* frantisek holop [EMAIL PROTECTED] [2007-12-04 18:15]: If it is a no , it is a no. I later realized that nobody can satisfy everyone's needs and it is impossible to ever get total buy in in anything. We have to respect the developer's decisions. Henning has not used the word no, yet. he might sleep on it and commit it tommorrow. or never, i dont know. but if people don't tell him that it can be useful, he'll never know, because it is useless to him. and when it comes up 4 years from now he'll say, oh, it's trivial but noone told me it's useful. things like this happen all the time, decisions may change based on new info. while that is entirely true, I really don't see much of a point here. actually, if I were to implement these parts now I'd make it print port numbers only and not names - we don't print hostnames either. but - it has been that way for more than 6 years. I don't see a good reason to change it now. And I certainly don't want to add YAO (Yet Another Option) for that. That said, I am not the only developer in that area, and my word is certainly not then end of all wisdom. and last but not least, it is in line with the other network tools (so i hope Henning will have a good night's sleep) and as an added bonus, patch was attached. the patch was fine, technically, yes. ps. maybe some day some people on this list will stop defending the devs as if they couldn't speak for themselves (they can) or couldn't shout at those pesky lusers themselves (oh hell, they can). yup.wanna try the shouting part? :) (nah, no reason to here) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: pfctl - show port numbers
while that is entirely true, I really don't see much of a point here. actually, if I were to implement these parts now I'd make it print port numbers only and not names - we don't print hostnames either. but - it has been that way for more than 6 years. I don't see a good reason to change it now. And I certainly don't want to add YAO (Yet Another Option) for that. That said, I am not the only developer in that area, and my word is certainly not then end of all wisdom. Personally, I think if I were starting from square one, I'd do port numbers, not service names, but that's not the way it's been for many years and even though my preference would be numbers my loathing for yet another option far outweighs this preference. So, I'd prefer not to see a knob for this. The change does not warrant the churn. -Bob
Re: pfctl - show port numbers
On 18:08:13 Dec 04, frantisek holop wrote: shouting? are you serious? I am rarely if ever serious. ;) -Girish
Re: pfctl - show port numbers
On 11:06:09 Dec 04, Bob Beck wrote: Personally, I think if I were starting from square one, I'd do port numbers, not service names, but that's not the way it's been for many years and even though my preference would be numbers my loathing for yet another option far outweighs this preference. I personally feel service names are better. I can better relate when I see pptp, http or ftp instead of 1723, 80 or 21. Again this is dependent on personal preference and is really inconsequential. I feel it is important that any product/software does not change its behavior once it gets entrenched in the market. Moreover it is yet another option as Henning correctly said. We don't want to be linux? Do we? ;) So, I'd prefer not to see a knob for this. The change does not warrant the churn. Quite right. Have a nice day! -Girish
Re: pfctl - show port numbers
*seriously* unsupported: $ perl -pi -e s,etc/services,etc/sXrvices, /sbin/pfctl ~/bin/pfctl-no-service-names your foot is : : : V this way bang
Re: pfctl - show port numbers
Quoting Stuart Henderson [EMAIL PROTECTED]:
*seriously* unsupported:
$ perl -pi -e s,etc/services,etc/sXrvices, /sbin/pfctl
~/bin/pfctl-no-service-names
your foot is
:
:
:
V
this way bang
A longer winded version (same idea - Perl ... and no prizes for my code)
use warnings;
use strict;
# Get the rules
my $pfctl_rules=`pfctl -s rules`;
# Get the known services
open(SERVICES,/etc/services);
my (@services)=SERVICES;
# Pull out the TCP services
my %services;
foreach my $service (@services) {
if ($service =~ /(.*?)[\s]*([0-9]{1,4})\/tcp/) {
my $service_name=$1;
my $service_port=$2;
$services{$service_name}=$service_port;
}
}
# Now go through the rules - if we find port = ccc then translate, otherwise
# just print the pftcl line as is
foreach my $pfctl_rule (split /\n/,$pfctl_rules) {
if ($pfctl_rule =~ /(.*?)port = ([\D]*?)([\s].*)/) {
my $look_up=;
if (exists $services{$2}) {
$look_up=$services{$2};
}
print $1port = $2($look_up)$3\n;
} else {
print $pfctl_rule\n;
}
}
Sample (manually altered, obviously):
# perl pfrules.pl
block drop log all
pass out quick on XXX1 inet proto tcp from (XXX1) to NNN.NNN.NNN.NNN port =
ssh(22) flags S/SA keep state
pass proto udp from any to any port = domain(53) keep state
pass in log on XXX0 inet proto tcp from any to 127.0.0.1 port = 8021 flags S/SA
keep state
pass in on XXX0 inet proto tcp from any to NNN.NNN.NNN.NNN port = www(80) flags
S/SA keep state
pass in on XXX0 inet proto tcp from any to NNN.NNN.NNN.NNN port = https(443)
flags S/SA keep state
Re: pfctl - show port numbers
On 23:44:31 Dec 04, Stuart Henderson wrote: *seriously* unsupported: $ perl -pi -e s,etc/services,etc/sXrvices, /sbin/pfctl ~/bin/pfctl-no-service-names your foot is : : : V this way bang Wow ;) I never imagined one cud get so devious with programming. Ha ha Human cleverness can do some really cool things. ;) -Girish
Re: pfctl - show port numbers
On 13:22:23 Dec 05, [EMAIL PROTECTED] wrote:
A longer winded version (same idea - Perl ... and no prizes for my code)
use warnings;
use strict;
# Get the rules
my $pfctl_rules=`pfctl -s rules`;
# Get the known services
open(SERVICES,/etc/services);
my (@services)=SERVICES;
# Pull out the TCP services
my %services;
foreach my $service (@services) {
if ($service =~ /(.*?)[\s]*([0-9]{1,4})\/tcp/) {
my $service_name=$1;
my $service_port=$2;
$services{$service_name}=$service_port;
}
}
# Now go through the rules - if we find port = ccc then translate, otherwise
# just print the pftcl line as is
foreach my $pfctl_rule (split /\n/,$pfctl_rules) {
if ($pfctl_rule =~ /(.*?)port = ([\D]*?)([\s].*)/) {
my $look_up=;
if (exists $services{$2}) {
$look_up=$services{$2};
}
print $1port = $2($look_up)$3\n;
} else {
print $pfctl_rule\n;
}
}
Sample (manually altered, obviously):
# perl pfrules.pl
block drop log all
pass out quick on XXX1 inet proto tcp from (XXX1) to NNN.NNN.NNN.NNN port =
ssh(22) flags S/SA keep state
pass proto udp from any to any port = domain(53) keep state
pass in log on XXX0 inet proto tcp from any to 127.0.0.1 port = 8021 flags
S/SA
keep state
pass in on XXX0 inet proto tcp from any to NNN.NNN.NNN.NNN port = www(80)
flags
S/SA keep state
pass in on XXX0 inet proto tcp from any to NNN.NNN.NNN.NNN port = https(443)
flags S/SA keep state
If I had done this in my patch, probably it would have got accepted. ;)
Even now it could be done of course.
Just that I thought the options way.
If there is enough coffee for me in the list, I would do it. ;)
-Girish
Re: pfctl - show port numbers
On 06:12:09 Dec 05, Girish Venkatachalam wrote:
If there is enough coffee for me in the list, I would do it. ;)
This diff should satisfy everyone.
-Girish
Index: pfctl_parser.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
retrieving revision 1.235
diff -u -r1.235 pfctl_parser.c
--- pfctl_parser.c 2007/10/15 02:16:35 1.235
+++ pfctl_parser.c 2007/12/05 01:27:21
@@ -295,6 +295,7 @@
void
print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto)
{
- char a1[6], a2[6];
+ char a1[6], a2[6], srvport1[1024], srvport2[1024];
struct servent *s;
-
s = getservbyport(p1, proto);
p1 = ntohs(p1);
- p2 = ntohs(p2);
snprintf(a1, sizeof(a1), %u, p1);
+
+ if (s != NULL)
+ snprintf(srvport1,sizeof(srvport1), %s(%s), s-s_name, a1);
+ else
+ strlcpy(srvport1, a1, sizeof(srvport1));
+
+ p2 = ntohs(p2);
snprintf(a2, sizeof(a2), %u, p2);
+ s = getservbyport(p2, proto);
+ if (s != NULL)
+ snprintf(srvport2,sizeof(srvport2), %s(%s), s-s_name, a1);
+ else
+ strlcpy(srvport2, a2, sizeof(srvport2));
+
printf( port);
- if (s != NULL (op == PF_OP_EQ || op == PF_OP_NE))
- print_op(op, s-s_name, a2);
- else
- print_op(op, a1, a2);
+ print_op(op, srvport1, srvport2);
}
Re: pfctl - show port numbers
On 12/3/2007 at 7:32 AM Girish Venkatachalam wrote: |On 21:45:37 Dec 02, Henning Brauer wrote: | * MikeM [EMAIL PROTECTED] [2007-12-02 15:35]: | When I run the command | | pfctl -sr | | a list of the rules is displayed, a sample line is below. | |pass in log quick on fxp0 inet proto tcp from 226.174.167.164 to | (fxp0) port = smtp flags S/FSRA keep state | | | Is there a way for me to tell pfctl that I want to see | |port = 25 | | instead of | |port = smtp | | ? | | short of hacking pfctl source, no. | | |As per your request I have added the -P switch to pfctl to display |numeric port numbers instead of service names for those who desire the |same. | |Please find attached the diff. | |I have modified the man page as well. | |Now, if you desire numeric ports display you have to use the -P option |in addition to other options. Everything else works as before. = Wow, thank-you! :)
Re: pfctl - show port numbers
* MikeM [EMAIL PROTECTED] [2007-12-03 14:53]: On 12/3/2007 at 7:32 AM Girish Venkatachalam wrote: | Is there a way for me to tell pfctl that I want to see | |port = 25 | | instead of | |port = smtp | | ? | | short of hacking pfctl source, no. | | |As per your request I have added the -P switch to pfctl to display |numeric port numbers instead of service names for those who desire the |same. | |Please find attached the diff. | |I have modified the man page as well. | |Now, if you desire numeric ports display you have to use the -P option |in addition to other options. Everything else works as before. = Wow, thank-you! :) I don't think this is a worthwile addition tho. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: pfctl - show port numbers
On 12/3/2007 at 7:06 PM Henning Brauer wrote: |* MikeM [EMAIL PROTECTED] [2007-12-03 14:53]: | On 12/3/2007 at 7:32 AM Girish Venkatachalam wrote: | | Is there a way for me to tell pfctl that I want to see | | | |port = 25 | | | | instead of | | | |port = smtp | | | | ? | | | | short of hacking pfctl source, no. | | | | | |As per your request I have added the -P switch to pfctl to display | |numeric port numbers instead of service names for those who desire the | |same. | | | |Please find attached the diff. | | | |I have modified the man page as well. | | | |Now, if you desire numeric ports display you have to use the -P option | |in addition to other options. Everything else works as before. | = | Wow, thank-you! :) | |I don't think this is a worthwile addition tho. = It's obviously not my choice, I'm just much more comfortable with using port numbers instead of protocol names. netbios-dgm means little to me but 138 does, and correlates with what I see displayed should I follow the instructions in the pf manual (http://www.openbsd.org/faq/pf/logging.html#logfile): To view the log file: # tcpdump -n -e -ttt -r /var/log/pflog Though for consistency with other commands that have an option to toggle between symbols and numbers (e.g., -n for netstat or tcpdump) it may be helpful as well. That's the main reason why I originally though I was overlooking a simple option flag, I couldn't believe this ability wasn't already present. ;) But as I mentioned, it's not my decision. I'll just hack the source code to get what I need.
Re: pfctl - show port numbers
Although that solution will make upgrading more difficult without the change being made in-tree (you'll have to rebuild pfctl after each upgrade). On Dec 3, 2007 1:24 PM, MikeM [EMAIL PROTECTED] wrote: On 12/3/2007 at 7:06 PM Henning Brauer wrote: |* MikeM [EMAIL PROTECTED] [2007-12-03 14:53]: | On 12/3/2007 at 7:32 AM Girish Venkatachalam wrote: | | Is there a way for me to tell pfctl that I want to see | | | |port = 25 | | | | instead of | | | |port = smtp | | | | ? | | | | short of hacking pfctl source, no. | | | | | |As per your request I have added the -P switch to pfctl to display | |numeric port numbers instead of service names for those who desire the | |same. | | | |Please find attached the diff. | | | |I have modified the man page as well. | | | |Now, if you desire numeric ports display you have to use the -P option | |in addition to other options. Everything else works as before. | = | Wow, thank-you! :) | |I don't think this is a worthwile addition tho. = It's obviously not my choice, I'm just much more comfortable with using port numbers instead of protocol names. netbios-dgm means little to me but 138 does, and correlates with what I see displayed should I follow the instructions in the pf manual (http://www.openbsd.org/faq/pf/logging.html#logfile): To view the log file: # tcpdump -n -e -ttt -r /var/log/pflog Though for consistency with other commands that have an option to toggle between symbols and numbers (e.g., -n for netstat or tcpdump) it may be helpful as well. That's the main reason why I originally though I was overlooking a simple option flag, I couldn't believe this ability wasn't already present. ;) But as I mentioned, it's not my decision. I'll just hack the source code to get what I need.
pfctl - show port numbers
When I run the command pfctl -sr a list of the rules is displayed, a sample line is below. pass in log quick on fxp0 inet proto tcp from 226.174.167.164 to (fxp0) port = smtp flags S/FSRA keep state Is there a way for me to tell pfctl that I want to see port = 25 instead of port = smtp ? I've looked through the man page, and I didn't see anything. I fear it may be so obvious I overlooked it. Thanks.
Re: pfctl - show port numbers
* MikeM [EMAIL PROTECTED] [2007-12-02 15:35]: When I run the command pfctl -sr a list of the rules is displayed, a sample line is below. pass in log quick on fxp0 inet proto tcp from 226.174.167.164 to (fxp0) port = smtp flags S/FSRA keep state Is there a way for me to tell pfctl that I want to see port = 25 instead of port = smtp ? short of hacking pfctl source, no. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: pfctl - show port numbers
On Sun, Dec 02, 2007 at 09:45:37PM +0100, Henning Brauer wrote: * MikeM [EMAIL PROTECTED] [2007-12-02 15:35]: short of hacking pfctl source, no. Moving /etc/services elsewhere worked for me. Unforeseen consequences are the reader's responsibility... -- Jussi Peltola
Re: pfctl - show port numbers
On 21:45:37 Dec 02, Henning Brauer wrote:
* MikeM [EMAIL PROTECTED] [2007-12-02 15:35]:
When I run the command
pfctl -sr
a list of the rules is displayed, a sample line is below.
pass in log quick on fxp0 inet proto tcp from 226.174.167.164 to
(fxp0) port = smtp flags S/FSRA keep state
Is there a way for me to tell pfctl that I want to see
port = 25
instead of
port = smtp
?
short of hacking pfctl source, no.
As per your request I have added the -P switch to pfctl to display
numeric port numbers instead of service names for those who desire the
same.
Please find attached the diff.
I have modified the man page as well.
Now, if you desire numeric ports display you have to use the -P option
in addition to other options. Everything else works as before.
-Girish
? y.output
? y.tab.c
Index: pfctl.8
===
RCS file: /cvs/src/sbin/pfctl/pfctl.8,v
retrieving revision 1.133
diff -u -r1.133 pfctl.8
--- pfctl.8 2007/07/01 11:38:51 1.133
+++ pfctl.8 2007/12/03 01:59:39
@@ -24,7 +24,7 @@
.\ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: July 1 2007 $
.Dt PFCTL 8
.Os
.Sh NAME
@@ -33,7 +33,7 @@
.Sh SYNOPSIS
.Nm pfctl
.Bk -words
-.Op Fl AdeghmNnOqRrvz
+.Op Fl AdeghmNnOPqRrvz
.Op Fl a Ar anchor
.Oo Fl D Ar macro Ns =
.Ar value Oc
@@ -315,6 +315,8 @@
.Ar device
instead of the default
.Pa /dev/pf .
+.It Fl P
+Print numeric ports instead of standard service names
.It Fl q
Only print errors and warnings.
.It Fl R
Index: pfctl.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.272
diff -u -r1.272 pfctl.c
--- pfctl.c 2007/11/27 16:22:13 1.272
+++ pfctl.c 2007/12/03 01:59:42
@@ -226,7 +226,7 @@
{
extern char *__progname;
- fprintf(stderr, usage: %s [-AdeghmNnOqRrvz] , __progname);
+ fprintf(stderr, usage: %s [-AdeghmNnOPqRrvz] , __progname);
fprintf(stderr, [-a anchor] [-D macro=value] [-F modifier]\n);
fprintf(stderr, \t[-f file] [-i interface] [-K host | network] );
fprintf(stderr, [-k host | network]\n);
@@ -821,7 +821,8 @@
case PFCTL_SHOW_RULES:
if (pr.rule.label[0] (opts PF_OPT_SHOWALL))
labels = 1;
- print_rule(pr.rule, pr.anchor_call, rule_numbers);
+ print_rule(pr.rule, pr.anchor_call,
+rule_numbers, opts PF_OPT_NUMERICPORTS);
printf(\n);
pfctl_print_rule_counters(pr.rule, opts);
break;
@@ -881,7 +882,8 @@
} else
p = pr.anchor_call[0];
- print_rule(pr.rule, p, rule_numbers);
+ print_rule(pr.rule, p, rule_numbers,
+ opts PF_OPT_NUMERICPORTS );
if (brace)
printf( {\n);
else
@@ -938,7 +940,8 @@
dotitle = 0;
}
print_rule(pr.rule, pr.anchor_call,
- opts PF_OPT_VERBOSE2);
+ opts PF_OPT_VERBOSE2,
+ opts PF_OPT_NUMERICPORTS);
printf(\n);
pfctl_print_rule_counters(pr.rule, opts);
pfctl_clear_pool(pr.rule.rpool);
@@ -1305,7 +1308,8 @@
if (pf-opts PF_OPT_VERBOSE) {
INDENT(depth, !(pf-opts PF_OPT_VERBOSE2));
print_rule(r, r-anchor ? r-anchor-name : ,
- pf-opts PF_OPT_VERBOSE2);
+ pf-opts PF_OPT_VERBOSE2,
+ pf-opts PF_OPT_NUMERICPORTS);
}
path[len] = '\0';
pfctl_clear_pool(r-rpool);
@@ -1952,7 +1956,7 @@
usage();
while ((ch = getopt(argc, argv,
- a:AdD:eqf:F:ghi:k:K:mnNOo:p:rRs:t:T:vx:z)) != -1) {
+ a:AdD:eqf:F:ghi:k:K:mnNOo:p:PrRs:t:T:vx:z)) != -1) {
switch (ch) {
case 'a':
anchoropt = optarg;
@@ -2041,6 +2045,10 @@
case 'p':
pf_device = optarg;
break;
+ case 'P':
+ opts |= PF_OPT_NUMERICPORTS;
+ break;
+
case 's':
showopt = pfctl_lookup_option(optarg, showopt_list);
if (showopt == NULL) {
Index: pfctl_parser.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
