Author Topic: Rule numbers (Read 4786 times)

snocrash · « **on:** March 11, 2021, 10:22:29 pm »

Hi All,

I have my Opnsense box feeding into Splunk via syslog, but was annoyed by the lack of rule labels outside of the webgui. The script below will parse the /tmp/rules.debug file and pfctl output to generate a csv with rule number, rule action (pass/block), and the rule description. Mapping this to the syslog filterlog output, you can see statistics by rule instead of just rule number. The output file is located at /tmp/ruleslist.csv

Code: [Select]

#
#
rm /tmp/ruleslist.csv
#
#Create main rule list
#
input1=$(grep 'pass\|block' /tmp/rules.debug)
while IFS= read -r line || [[ -n $line ]]
do
    enabled=1
        if [ "${line:0:1}" = '#' ]
        then
          enabled=0
        fi
    action=$(echo $line | cut -d " " -f1)
        if [ $enabled -eq 0 ]
        then
          action=$(echo $line | cut -d " " -f2)
        fi
    ruleid=$(echo $line | perl -nle'print $& while m{label \K\"\K\w+}g')
    ruledesc=$(echo $line | perl -nle'print $& while m{(?<!^)\#\s(\:\s)?\K.*}g')
    echo "$enabled,$action,$ruleid,$ruledesc" >> /tmp/ruleslist.tmp
done <<< "$input1"

input2=$(pfctl -vvsr | grep @ )
echo "rulenum,ruleaction,ruledesc" >> /tmp/ruleslist.csv
while IFS= read -r line || [[ -n $line ]]
do
    rulenum2=$(echo $line | perl -nle'print $& while m{\@\K\d+}g')
    ruleid2=$(echo $line | perl -nle'print $& while m{label \K\"\K\w+}g')
        if [ "$ruleid2" != "" ]
        then
                ruleenabled2=$(grep -m 1 "$ruleid2" /tmp/ruleslist.tmp | cut -d "," -f1)
                ruleaction2=$(grep -m 1 "$ruleid2" /tmp/ruleslist.tmp | cut -d "," -f2)
                ruledesc2=$(grep -m 1 "$ruleid2" /tmp/ruleslist.tmp | cut -d "," -f4)
                echo $rulenum2","$ruleaction2","$ruledesc2 >> /tmp/ruleslist.csv
        fi
done <<< "$input2"
rm /tmp/ruleslist.tmp

timmyc123 · « **Reply #1 on:** April 04, 2021, 04:41:24 am »

Do you know if the rule numbers are persistent? Mine seem to be changing.

Disappointed to see that tracker ID didn't make it over from pfSense.

franco · « **Reply #2 on:** April 19, 2021, 08:40:15 am »

> Disappointed to see that tracker ID didn't make it over from pfSense.

And I'm disappointed to see that the tracker ID didn't make it over to FreeBSD.

There is a portable solution for this "problem" coming soon. Have a little faith.

Cheers,
Franco

snocrash · « **Reply #3 on:** April 23, 2021, 07:56:16 pm »

I haven't had much time to tinker with it since setting it up, but I have noticed the numbers changing as well. I updated the list and the data was more in line with what I expected, but I'm not sure if that invalidates the earlier logs.

franco · « **Reply #4 on:** April 23, 2021, 07:59:53 pm »

As I said we added label support to the filterlog output which makes these correlations safe even after reload unless a rule was deleted...

https://github.com/opnsense/ports/commit/3f8ca0d08

... it's being targeted for 21.7 release or possibly sooner.

Cheers,
Franco

Author Topic: Rule numbers (Read 4786 times)

snocrash

Rule numbers

timmyc123

Re: Rule numbers

franco

Re: Rule numbers

snocrash

Re: Rule numbers

franco

Re: Rule numbers