Firewall rules hitcount for pfSense 2.1.5 and 2.2.4
-
This looks great! Any plans to get this into 2.2.5 or 2.3?
-
Would need some work before being integrated (would have to be 2.3)
Why use a hash there? In 2.2.x all rules have a unique tracker ID already, no need for an extra hash.
2.1.x is dead, not worth adding things for to maintain compatibility at this stage.
-
Why use a hash there? In 2.2.x all rules have a unique tracker ID already, no need for an extra hash.
Hi Jimp, Thank's for the feedback. I'm testing with tracker right now.
It looks like rules created by nat does not have this tracker(testing with 2.2.4).
Using tracker field, it reduced to just one new file and two patches.
<rule><source> <any><interface>wan</interface> <protocol>tcp</protocol> <destination><address>127.0.0.1</address> <port>80</port></destination> <associated-rule-id>nat_55d21c4e8742b7.64890792</associated-rule-id> <created><time>1439833166</time> <username>NAT Port Forward</username></created></any></rule>
-
I've updated the code for 2.2.4 to use tracker and included counter to all rules on gui. See the topic above for instructions.
-
Thanks, works great 2.2.4.
One question though, shouldn't we rather use 644 permissions? At least for /etc/inc files ? -
One question though, shouldn't we rather use 644 permissions? At least for /etc/inc files ?
Yeah, you should. Also, you can diff the new file against /dev/null, put it into System Patches and forget about Filer altogether.
-
One question though, shouldn't we rather use 644 permissions? At least for /etc/inc files ?
Updated to 0644, thanks for the feedback.
-
Something seems odd with pfSense handling auto-added Port Forward rules. They get a name like "USER_RULE: NAT …" and there's no tracker ID. As I use Multi-WAN and some Port Forwards were just copied from WAN1 to WAN2, pfctl -vvsr shows two rules with the same name. That breaks the new counters...
Edit: Put in unique descriptions, still no luck. -
On to the next problem, Port Aliases. While pf let's us write single-line rules with something like
port { 25 465 587 }
it automatically creates a separate rule for every single port. pfctl will show three rules for the example above whilst our ruleset only has a single rule for this.
-
Updated the code for 2.2.4 to include kill states option for specific rule.
-
On to the next problem, Port Aliases. While pf let's us write single-line rules with something like
port { 25 465 587 }
it automatically creates a separate rule for every single port. pfctl will show three rules for the example above whilst our ruleset only has a single rule for this.
I'll try to simulate it.
-
Updated the code for 2.2.4 to include kill states option for specific rule.
Wasn't able to try it out yet. But if that means, the byte counter does not show anymore when hovering there with the mouse, that would be too bad. Maybe the Hits field could show
Packets(Bytes)/States
or something similar? -
Wasn't able to try it out yet. But if that means, the byte counter does not show anymore when hovering there with the mouse, that would be too bad. Maybe the Hits field could show
Packets(Bytes)/States
or something similar?I'ts still working inside the td with mouse over, I've just included the option to kill when there are active states and only over the numbers.
-
Something seems odd with pfSense handling auto-added Port Forward rules. They get a name like "USER_RULE: NAT …" and there's no tracker ID.
Edit and save rule created by nat to force the trackerid
-
On to the next problem, Port Aliases. While pf let's us write single-line rules with something like
port { 25 465 587 }
it automatically creates a separate rule for every single port. pfctl will show three rules for the example above whilst our ruleset only has a single rule for this.
check if new code fixes it. (v0.31)
@78(1439883226) pass in quick on em0 reply-to (em0 172.17.12.1) inet proto tcp from any to (self:3) port = http flags S/SA keep state label "USER_RULE: 1439883226" [ Evaluations: 17 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 23535 State Creations: 3319624344] @79(1439883226) pass in quick on em0 reply-to (em0 172.17.12.1) inet proto tcp from any to (self:3) port = https flags S/SA keep state label "USER_RULE: 1439883226" [ Evaluations: 17 Packets: 763 Bytes: 442121 States: 6 ] [ Inserted: pid 23535 State Creations: 3319624408] @80(1439883226) pass in quick on em0 reply-to (em0 172.17.12.1) inet proto tcp from any to (self:3) port = ssh flags S/SA keep state label "USER_RULE: 1439883226" [ Evaluations: 1 Packets: 555 Bytes: 81812 States: 1 ] [ Inserted: pid 23535 State Creations: 3321614424] @81(1439883226) pass in quick on em0 reply-to (em0 172.17.12.1) inet proto tcp from any to (self:3) port = 8443 flags S/SA keep state label "USER_RULE: 1439883226" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 23535 State Creations: 3321614400] @82(1439883226) pass in quick on em0 reply-to (em0 172.17.12.1) inet proto tcp from any to (self:3) port = domain flags S/SA keep state label "USER_RULE: 1439883226" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 23535 State Creations: 3321614376]
-
Thanks, works great.
But one odd thing I noticed is, that rules with multiple ports like those you fixed seem to get their counter cleared on every filter reload. At the same time, my other "normal" rules do not suffer from this.
Are you seeing this too, or am I doing something wrong? -
More features on version 0.4 for pfsense 2.2, now we can view hit count, list and kill States(with ajax to keep it light and fast).
-
Very nice!
Good job as always, marcelloc!
[]`s
Jack -
marcelloc, the lastest update works great, thanks again.
Still, the new hitcount feature reveals that some rules with multiple ports like "{ 25 465 587 }" or multiple protocols like "{ tcp udp }" get their packet/byte counter reset on reload. Evaluations / State Creations seem not affected. Nobody else seeing this?
-
Awesome feature!
Can't wait to see this merged upstream! ;D