Firewall Rules hit counter - $150

Curium · Feb 12, 2013, 5:11 AM

Probably about the only feature that I am missing while converting many ASA firewalls to pfSense. Might seem like a small feature, but is actually very useful. A hit counter on each Firewall - Rule, incremented every time a new connection is established allowed by that that particular rule. Would be nice while viewing the rules in pfSense to see the counter for each rule.

Reasons needed:
1. Makes troubleshooting easier, if the number is not incrementing then your connections are not properly hitting that rule.
2. Easier optimization, allows you to resort your rules based on top usage, so that your most hit rules are on the top, to save on CPU usage and gain performance in pfSense.
3. Allows you to easily and confidently identify dead (no longer used) rules.

cmb · Feb 12, 2013, 5:38 AM

"pfctl -vvsr" at the command line shows just that. I agree it would be a useful addition to the GUI.

Curium · Feb 12, 2013, 6:13 AM

Okay, I have been searching for a command like that. Thank you! Now that I have seen all of the information it has. Now I want hit counter (evaluations), bytes, packets and states in the GUI! :)

jimp · Feb 12, 2013, 2:07 PM

IIRC the counters reset after every filter reload. Which happens often. So they wouldn't be much use long-term…

cmb · Feb 13, 2013, 7:17 AM

Yeah they are indeed reset on filter reload. In some environments they wouldn't last long at all at that, though in others where the config rarely changes and there aren't any IP changes, etc. to reload the filter, they could stay for long periods.

Curium · Feb 14, 2013, 3:50 AM

Probably not a work around for the filter reload reset issue.
But in reality that is not a big deal. I would be able to accomplish everything I need even if reset when changes are rarely made. I just tested on an ASA, the counter is reset on an ACL when it is modified, but not all. Again, not a big deal, still would love to have this.

cmb, is there a recommend page that has all awesome CLI commands? As you have just given me one. Like top 20 most awesome commands you should know. Thanks

Clear-Pixel · Feb 14, 2013, 10:33 AM

@jimp:

IIRC the counters reset after every filter reload. Which happens often. So they wouldn't be much use long-term…

Store value in a variable … if else statement rule only on reload?

cmb · Feb 14, 2013, 11:16 AM

@Curium:

cmb, is there a recommend page that has all awesome CLI commands?

pfctl man page is where I'd look. Not sure what you'd consider "awesome", our status.php page (no menu link) has probably all the most useful ones.

Clear-Pixel · Feb 14, 2013, 11:43 AM

FreeBSD 8.3 Man Page
pfctl – control the packet filter (PF) and network address translation (NAT) device
http://www.freebsd.org/cgi/man.cgi?query=pfctl&apropos=0&sektion=8&manpath=FreeBSD+8.3-RELEASE&arch=default&format=html

stephenw10 · Feb 14, 2013, 8:32 PM

@cmb:

our status.php page (no menu link) has probably all the most useful ones.

How has this mine of info bypassed my radar until now? ::)
Awesome!

Steve

johnpoz · Feb 14, 2013, 8:57 PM

status.php

Is there no link to this on the gui? I just looked and couldn't find it - but yeah looks pretty sweet when you go directly to that.

jimp · Feb 14, 2013, 9:00 PM

There is no link and that's done on purpose. It's rarely needed except for diagnostics and reporting to support. It's best left "hidden" so to speak.

Metu69salemi · Feb 14, 2013, 9:04 PM

That is great to share co-worker who thinks that networking is too easy to handle..

Curium · Feb 21, 2013, 8:01 PM

Okay, that status.php page is AMAZING!

However, I think I am noticing that the "evaluations" in "pfctl -vvsr" is counting every time that rule is evaluated by a connection. That's great, but I am looking for a counter when a rule matches a connection and either allows or denies a connection, "hit". Evaluations is kind of useless for troubleshooting or identifying dead rules, or even sorting them for efficiency.

The states, bytes and packets is awesome though.

jamesmr89 · Apr 5, 2013, 6:54 AM

I used to have some code that would do a traffic graph based on a rule, I could dig that up and see if I could make it work on pfsense if you'd be interested, basically a bandwidth graph on a per rule basis.

dhatz · Apr 5, 2013, 3:06 PM

@cmb:

our status.php page (no menu link) has probably all the most useful ones.

Nice.

A minor issue I noticed is that the section showing the results of ipfw show now produces an error, apparently since the addition of the pfSense-specific -x context parameter.

ZGamer · Jun 13, 2013, 5:48 AM

Have you taken a look under Diagnostics –> pfTop --> Rules?

The PKTS, BYTES, STATE, & INFO colums should give you what your looking for.

mikeisfly · Dec 10, 2013, 11:53 AM

Agreed, coming from the Cisco world having a hit counter is very helpful in trouble shooting and I would be willing to add $50 to have this feature implemented in the next version of PfSense. It would also be nice not to have it all in the same location like when you look at your rules you see how many times there was a match on that rule.

marcelloc · Aug 12, 2015, 9:21 PM

Hi, if someone is still interested on this, follow this topic

https://forum.pfsense.org/index.php?topic=97925.msg545345#msg545345

zylithi · Dec 25, 2015, 11:44 PM

What about taking this, and spitting it out to an LCD ;)