The pfSense Store

Author Topic: Firewall Rules hit counter - $150  (Read 10746 times)

0 Members and 1 Guest are viewing this topic.

Offline Curium

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Firewall Rules hit counter - $150
« on: February 11, 2013, 11:11:54 pm »
Probably about the only feature that I am missing while converting many ASA firewalls to pfSense.  Might seem like a small feature, but is actually very useful.  A hit counter on each Firewall - Rule, incremented every time a new connection is established allowed by that that particular rule.  Would be nice while viewing the rules in pfSense to see the counter for each rule.

Reasons needed:
1. Makes troubleshooting easier, if the number is not incrementing then your connections are not properly hitting that rule.
2. Easier optimization, allows you to resort your rules based on top usage, so that your most hit rules are on the top, to save on CPU usage and gain performance in pfSense.
3. Allows you to easily and confidently identify dead (no longer used) rules.

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +891/-7
    • View Profile
    • Chris Buechler
Re: Firewall Rules hit counter - $150
« Reply #1 on: February 11, 2013, 11:38:52 pm »
"pfctl -vvsr" at the command line shows just that. I agree it would be a useful addition to the GUI.

Offline Curium

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Firewall Rules hit counter - $150
« Reply #2 on: February 12, 2013, 12:13:01 am »
Okay, I have been searching for a command like that.  Thank you!  Now that I have seen all of the information it has.  Now I want hit counter (evaluations), bytes, packets and states in the GUI!  :)

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 20797
  • Karma: +1311/-24
    • View Profile
Re: Firewall Rules hit counter - $150
« Reply #3 on: February 12, 2013, 08:07:31 am »
IIRC the counters reset after every filter reload. Which happens often. So they wouldn't be much use long-term...
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +891/-7
    • View Profile
    • Chris Buechler
Re: Firewall Rules hit counter - $150
« Reply #4 on: February 13, 2013, 01:17:09 am »
Yeah they are indeed reset on filter reload. In some environments they wouldn't last long at all at that, though in others where the config rarely changes and there aren't any IP changes, etc. to reload the filter, they could stay for long periods.

Offline Curium

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Firewall Rules hit counter - $150
« Reply #5 on: February 13, 2013, 09:50:58 pm »
Probably not a work around for the filter reload reset issue.
But in reality that is not a big deal.  I would be able to accomplish everything I need even if reset when changes are rarely made.  I just tested on an ASA, the counter is reset on an ACL when it is modified, but not all.  Again, not a big deal, still would love to have this.


cmb, is there a recommend page that has all awesome CLI commands? As you have just given me one.  Like top 20 most awesome commands you should know.  Thanks

Offline Clear-Pixel

  • Full Member
  • ***
  • Posts: 262
  • Karma: +4/-5
    • View Profile
Re: Firewall Rules hit counter - $150
« Reply #6 on: February 14, 2013, 04:33:43 am »
IIRC the counters reset after every filter reload. Which happens often. So they wouldn't be much use long-term...

Store value in a variable ... if else statement rule only on reload?
HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
Single Ethernet Port - VLAN
Cisco SG300 10-port Gigabit Managed Switch
Cisco DPC3008 Cable Modem  30/4 Mbps
Pfsense 2.1-RELEASE (amd64)
--------------------------------------------------------------
Total Network Power Consumption - 29 Watts

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +891/-7
    • View Profile
    • Chris Buechler
Re: Firewall Rules hit counter - $150
« Reply #7 on: February 14, 2013, 05:16:04 am »
cmb, is there a recommend page that has all awesome CLI commands?

pfctl man page is where I'd look. Not sure what you'd consider "awesome", our status.php page (no menu link) has probably all the most useful ones.

Offline Clear-Pixel

  • Full Member
  • ***
  • Posts: 262
  • Karma: +4/-5
    • View Profile
Re: Firewall Rules hit counter - $150
« Reply #8 on: February 14, 2013, 05:43:34 am »
FreeBSD 8.3 Man Page
pfctl -- control the packet filter (PF) and network address translation (NAT) device
http://www.freebsd.org/cgi/man.cgi?query=pfctl&apropos=0&sektion=8&manpath=FreeBSD+8.3-RELEASE&arch=default&format=html
HP EliteBook 2530p Laptop - Core2 Duo SL9600 @ 2.13Ghz - 4 GB Ram -128GB SSD
Atheros Mini PCI-E as Access Point (AR5BXB63H/AR5007EG/AR2425)
Single Ethernet Port - VLAN
Cisco SG300 10-port Gigabit Managed Switch
Cisco DPC3008 Cable Modem  30/4 Mbps
Pfsense 2.1-RELEASE (amd64)
--------------------------------------------------------------
Total Network Power Consumption - 29 Watts

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11728
  • Karma: +446/-15
    • View Profile
Re: Firewall Rules hit counter - $150
« Reply #9 on: February 14, 2013, 02:32:10 pm »
our status.php page (no menu link) has probably all the most useful ones.

How has this mine of info bypassed my radar until now?  ::)
Awesome!

Steve

Online johnpoz

  • Hero Member
  • *****
  • Posts: 13455
  • Karma: +1186/-176
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Firewall Rules hit counter - $150
« Reply #10 on: February 14, 2013, 02:57:14 pm »
status.php

Is there no link to this on the gui?  I just looked and couldn't find it - but yeah looks pretty sweet when you go directly to that.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- If I have helped you and want to help back, https://www.freebsdfoundation.org/donate/
- Please don't PM me for personal help, info you don't want public sure. Link to thread you would like me to look at ok, etc.
1x SG-2440 2.3.4_p1 (work)
1x 2.4.0-RC Sep 15 16:04:53 VM running on esxi 6.5 (home)

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 20797
  • Karma: +1311/-24
    • View Profile
Re: Firewall Rules hit counter - $150
« Reply #11 on: February 14, 2013, 03:00:47 pm »
There is no link and that's done on purpose. It's rarely needed except for diagnostics and reporting to support. It's best left "hidden" so to speak.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1556
  • Karma: +2/-0
    • View Profile
Re: Firewall Rules hit counter - $150
« Reply #12 on: February 14, 2013, 03:04:58 pm »
That is great to share co-worker who thinks that networking is too easy to handle..

Offline Curium

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Firewall Rules hit counter - $150
« Reply #13 on: February 21, 2013, 02:01:54 pm »
Okay, that status.php page is AMAZING!

However, I think I am noticing that the "evaluations" in "pfctl -vvsr" is counting every time that rule is evaluated by a connection.  That's great, but I am looking for a counter when a rule matches a connection and either allows or denies a connection, "hit".  Evaluations is kind of useless for troubleshooting or identifying dead rules, or even sorting them for efficiency.

The states, bytes and packets is awesome though.

Offline nsnetworks

  • Newbie
  • *
  • Posts: 10
  • Karma: +1/-0
    • View Profile
Re: Firewall Rules hit counter - $150
« Reply #14 on: April 05, 2013, 01:54:45 am »
I used to have some code that would do a traffic graph based on a rule, I could dig that up and see if I could make it work on pfsense if you'd be interested, basically a bandwidth graph on a per rule basis.