Project

General

Profile

Actions

Feature #3504

closed

Firewall rules hit counter

Added by Travis Kreikemeier about 10 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
Start date:
03/06/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

I'd like to request a hit counter for firewall rules. When viewing the rules, there would be a new column with a count of connection attempts that was accepted or denied by a rule. As well, a rule counter reset button to easily be reset a rule or all rules with a button.

Reasons for this:
1) Makes troubleshooting easier, you can see when a rule is properly being hit when you initiate traffic and the counter goes up for that rule.
2) Helps a firewall admin identify dead rules that are no longer needed during a firewall rule audit.
3) Helps to identify attacks against the network, narrowing it down to certain traffic more quickly by watching the counters.
4) Identifies hot rules that need to be moved to the top of the firewall list for optimization. I like to order my rules in order of usage where possible for performance reasons.


Files

rule_count.png (36.2 KB) rule_count.png Marcello Silva Coutinho, 08/10/2015 02:34 PM
Actions #1

Updated by Chris Buechler almost 10 years ago

  • Target version deleted (2.2)
  • Affected Version deleted (All)
Actions #2

Updated by Marcello Silva Coutinho over 8 years ago

with few modifications and a new function, I've got this result.

Is there any info about how often does pfctrl clean counters?

Is it related to /tmp/rules.debug call?

Actions #3

Updated by Travis Kreikemeier over 8 years ago

Marcello, that is awesome! The bytes, packets and states are a very nice touch. However, the evaluations is kind of not helpful. As that is incremented every time a rule is evaluated. Meaning if the rule was in front of a rule that allowed or disallowed the traffic, it would still have been counted as evaluated as it was inspected to see if it matched the traffic. I wish pf had a hit or action count. Or maybe it does and I am just not aware.

Actions #4

Updated by Chris Buechler about 8 years ago

  • Status changed from New to Resolved
  • Target version set to 2.3

Marcello's change there has been implemented in 2.3. That addresses subject as best possible

Actions

Also available in: Atom PDF