Monitoring Graphs Question

  • Hi all -

    I have a quick question regarding the graphs displayed under Status > Monitoring. If I choose System and States for the left axis, what do the different state types shown on the chart represent, i.e:

    1. state changes
    2. filter states
    3. source addr.
    4. destination addr.

    I apologize in advance if this covered somewhere in the manual / documentation - I was able to find anything. Thanks in advance for your help.

  • Netgate Administrator

    That is an interesting question!
    The 'filter states' shows the total firewall states and is usually what I would be looking at there. If you get a DoS attack for example you will see the states spike in the graphs.
    The 'state changes' can also be useful. Occasionally you might have something opening/closing states very rapidly and that can cause significant CPU load. Usually you would also see the total states rise but you could imagine a situation where states were immediately closed and total was not significant whilst the rate of changes was.

    I'm not sure I've ever check the source destination address fields there though. It's not clear just looking at those numbers against the state table. More research needed!


  • Netgate Administrator

    Ok so you can see what those values are in the RRD update script /var/db/rrd/, specifically:

    pfctl_si_out="` /sbin/pfctl -si > /tmp/pfctl_si_out `"
    pfctl_ss_out="` /sbin/pfctl -ss > /tmp/pfctl_ss_out`"
    pfrate="` cat /tmp/pfctl_si_out | egrep "inserts|removals" | awk '{ pfrate = $3 + pfrate } {print pfrate}'|tail -1 `"
    pfstates="` cat /tmp/pfctl_ss_out | egrep -v "<\-.*?<\-|\->.*?\->" | wc -l|sed 's/ //g'`"
    pfnat="` cat /tmp/pfctl_ss_out | egrep '<\-.*?<\-|\->.*?\->' | wc -l|sed 's/ //g' `"
    srcip="` cat /tmp/pfctl_ss_out | egrep -v '<\-.*?<\-|\->.*?\->' | grep '\->' | awk '{print $3}' | awk -F: '{print $1}' | sort -u|wc -l|sed 's/ //g' `"
    dstip="` cat /tmp/pfctl_ss_out | egrep -v '<\-.*?<\-|\->.*?\->' | grep '<\-' | awk '{print $3}' | awk -F: '{print $1}' | sort -u|wc -l|sed 's/ //g' `"

    So that looks like the number of unique source IPs on outgoing states. If you only have a single WAN and you're NATing out of it that's probably going to be 1.
    And the number of unique destination IPs on incoming states. A lot higher since that includes all the external IPs on states
    opened on LAN by clients.

    Looking at the output there though it looks like there may be room for improvement. It doesn't handle IPv6 addresses and counts blank lines.


Log in to reply