Summarize drop/denied/allowed traffic from ruleset?
-
Is there a package or an easy way to find out how much traffic pfSense has denied/dropped/allowed thru the firewall and the corresponding ruleset that caused the action? I would like to get some stats for the last day, week, month, etc
Basically, I need to know how many connections were denied due to xxx ruleset.
Thanks,
-
There isn't anything quite like that.
There is the 'summary' view in the filter logs which makes some graphs for various actions.
Due to the dynamic nature of the firewall log rule numbers, it wouldn't be very accurate to parse those and report after-the-fact, and it wouldn't be very efficient to try to do that when the logs are written either.
On top of that, the logs are of a fixed size, they roll over once the file fills up, so there are never more than a few thousand lines in the log. Depending on your level of traffic that could be several days or several minutes.
-
Thanks. Seems like an interesting metric to track - especially at the commercial or enterprise level.
I was thinking more of an "rrd" style data collection effort. Basically, push the allow/deny/etc results to an rrd database and enabling some sort querying mechanism. Much like the current RRD graphs do today.
-
Thanks. Seems like an interesting metric to track - especially at the commercial or enterprise level.
I was thinking more of an "rrd" style data collection effort. Basically, push the allow/deny/etc results to an rrd database and enabling some sort querying mechanism. Much like the current RRD graphs do today.
There's nothing stopping someone from doing this with the rule numbers as it is now, but as I said, the rule numbers are useless many times because the numbering changes over time as rules are dynamically added or removed.
You'd pretty much have to dump the entire ruleset every time a log entry was made so you can associate a rule, which can be quite costly if you have fast-moving logs. It could cause the box to DoS itself. :)
-
There's nothing stopping someone from doing this with the rule numbers as it is now, but as I said, the rule numbers are useless many times because the numbering changes over time as rules are dynamically added or removed.
You'd pretty much have to dump the entire ruleset every time a log entry was made so you can associate a rule, which can be quite costly if you have fast-moving logs. It could cause the box to DoS itself. :)
OK - the light just went on - I understand what you are saying. Basically, the numbers won't be accurate if you add/modify/remove rulesets. Understood.
Thanks for the info…
-
OK - the light just went on - I understand what you are saying. Basically, the numbers won't be accurate if you add/modify/remove rulesets. Understood.
Thanks for the info…
It's worse than that, the system can add rules internally from things like packages. Things like UPnP, squid, etc, will add their own rules and they may change or not be present all the time. I wish there were an easier way, it would be quite useful to know.
-
Thanks again. Is there an easy way just to get allowed vs dropped?
-
Thanks again. Is there an easy way just to get allowed vs dropped?
That should be on the summary view, but it only counts logged items.
There isn't a web interface to it, but you can also check the output of:
pfctl -vvsrFrom the console/ssh. It will show you things like this:
@6 block drop in log all label "Default deny rule" [ Evaluations: 5 Packets: 2 Bytes: 104 States: 0 ] @41 pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 5 Packets: 6 Bytes: 456 States: 2 ]
