NRPEv2 check_pf

sachaz

Hi,

I'm working to add monitoring on my loved PFSense firewall.
NRPEv2 package is great but it's missing some specif PF features. I have tryed to add the check_pf indicator (https://github.com/kian/nagios-pf-plugin) but once compiled on FreeBSD 8.3, when I'm launching it on PFSense 2.1.3-RELEASE I got a:  "PF UNKNOWN - ioctl failed (DIOCGETSTATUS)"
As I'm not a developper I've done a dirty thing doing nearly the same in sh:

#!/bin/sh
WARN="8000"
CRIT="10000"
STATES=`pfctl -si | grep "current entries" | awk '{ print $3 }'`
LIMIT=`pfctl -sm | grep states | awk '{ print $4 }'`
PERC=`echo "scale=2;$STATES*100/$LIMIT"|bc`

if [ $STATES -lt $WARN ]; then
        MSG="OK"
        STATUS="0"
elif [ $STATES -ge $CRIT ]; then
        MSG="CRITICAL"
        STATUS="2"
elif [ $STATES -ge $WARN ]; then
        MSG="WARNING"
        STATUS="1"

fi
echo "PF $MSG - states: $STATES ( $PERC% - limit: $LIMIT) | states=$STATES;$WARN;$CRIT;0;$LIMIT"
exit $STATUS

Sacha.

dallash

I know it has been a bit since Sacha posted this, but I made a couple of changes to the script. Instead of going off of states, the revised script instead alerts based on state table usage percentage (80 and 90). Thanks Sacha for the original post! – Dallas

#!/bin/sh
WARN="80"
CRIT="90"
STATES=pfctl -si | grep "current entries" | awk '{ print $3 }'
LIMIT=pfctl -sm | grep states | awk '{ print $4 }'
PERC=echo "$((($STATES*100)/$LIMIT))"|bc

#echo $PERC

if [ $PERC -lt $WARN ]; then
        MSG="OK"
        STATUS="0"
elif [ $PERC -ge $CRIT ]; then
        MSG="CRITICAL"
        STATUS="2"
elif [ $PERC -ge $WARN ]; then
        MSG="WARNING"
        STATUS="1"
fi
echo "$MSG - PF state table: $STATES ( $PERC% full - limit: $LIMIT) | states=$STATES;$WARN;$CRIT;0;$LIMIT"
exit $STATUS

sachaz

thanks for the hack