Options |
 |
-i
Displays currently loaded rules for inbound packets.
-o
Displays currently loaded rules for outbound packets.
-h
Displays the hit count for each rule as well as the rules
themselves. Use with -i or -o options.
-s
Displays state table statistics.
-sl
Displays detailed state table statistics.
-n
Displays the number of each rule next to the rule itself.
-L
Displays global limit statistics.
-v-L
Displays detailed global limit statistics.
-r <group:rule>
Displays the limit statistic by rule number.
-v
Sets verbose mode. Use for debugging.
Examples |
|
# ipfstat
dropped packets: in 0 out 0
non-data packets: in 0 out 0
no-data packets: in 0 out 0
non-ip packets: in 0 out 0
bad packets: in 0 out 0
copied messages: in 0 out 0
input packets: blocked 15 passed 2647 nomatch 2537 counted 0
short 0
output packets: blocked 0 passed 245 nomatch 141 counted 0
short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
TCP connections: in 5 out 50
log failures: input 0 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 5 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 14 (out): 0
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
none |
|
The TCP Connections statistics are derived from the number of states added
and is valid only in the context of stateful filtering. These statistics
will be accurate only when keep limit or keep state rules are used for all TCP connections.
For example, you have the following ruleset:
pass in log limit freq 500 quick proto tcp from any to any port = 80 keep limit 100 |
pass in log quick proto tcp from any to any port = 25 flags S keep state |
pass in log quick proto tcp from any to any port = 23 |
pass out log quick proto tcp from any port = 23 to any |
These rules only count connections that match the first two
rules. Both the third and fourth rule allow telnet connections but
telnet connections are not counted, since the system is not keeping
state on these connections.
Example:
2451423 pass out on lan0 from any to any
354727 block out on ppp0 from any to any
430918 pass out quick on ppp0 proto tcp/udp from
20.20.20.0/24 From to any keep state keep frags |
This status report shows that the ruleset may not be working
as intended. Many outbound packets are being blocked despite a pass out rule configured to pass most outbound packets.
ipfstat cannot indicate whether a ruleset is configured correctly.
It can only display what is happening at the present time with a
given ruleset.
Set the -n option to display the rule number
next to each rule. The rule number is displayed as @group:rule. This can help you determine which rules are incorrectly
configured. For example:
@0:1 pass out on lan0 from any to any
@0:2 block out on ppp0 from any to any
@0:3 pass out quick on ppp0 proto tcp/udp from 20.20.20.0/24 to any keep state keep frags |
The following example uses the -s option
to display the state table.
# ipfstat -s
281458 TCP
319349 UDP
0 ICMP
19780145 hits
5723648 misses
0 maximum
0 no memory
0 bkts in use
1 active
319349 expired
281419 closed |
A TCP connection has one state entry. One fully established
connection is represented by the 4/4 state. Other states are incomplete
and will be documented later. The state entry has a time life of
24 hours, which is the default for an established TCP connection.
The TTL counter is decremented every second that the state entry
is not used and will result in the connection being purged if it
is left idle.
The TTL counter is reset to 86400 whenever the state is used,
ensuring the entry will not time out while it is being actively
used. 196 packets consisting of about 17KB worth of data have been
passed over this connection. The ports for the endpoints are 987
and 22; this state entry represents a connection from 100.100.100.1
port 987 to 20.20.20.1 port 22. The numbers in the second line are
the TCP sequence numbers for this connection. These numbers help
ensure that an attacker cannot insert a forged packet into your
session. The TCP window is also shown. The third line is a synopsis
of the implicit rule generated by the keep state code showing that this is an inbound connection.
The ipfstat -sl option is often used in place of ipfstat -s to show held state information in the kernel, if present.
The ipfstat -sl gives detailed information for each state entry that
is active.
The following is an example of the output information of the ipfstat -sl option:
#ipfstat -sl
empty list for ipfilter(out)
1 pass in quick proto tcp from 15.13.106.175/32 to any keep state
# ipfstat -sl
15.13.106.175 -> 15.13.137.135 ttl 872678 pass 0x500a pr 6 state 4/4
pkts 31 bytes 1564 57906 -> 23 22c0861c:712c2bd9 32768:32768
cmsk 0000 smsk 0000 isc 0000000000000000 s0 22c085e0/712c2b7f
sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1]
[\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0]
pass in quick keep state IPv4
pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
interfaces: in lan0[00000000480baf00] out -[0000000000000000] |
The following is an example of the output information of the ipfstat -L option.
Current connections to limited IP addresses
Connection Type Active Limits
Individual 2
Subnet 3
Cumulative 5
Unknown IP 9
Total 19
No Memory 0
Logged Records 13
Log Failures 0
Limits Added 13
Add Failures 0 |
|
The first six lines display the number
of current active connections of each described type.
No Memory is the number of times a limit entry could not
be created because no memory was available. If this is a non-zero,
positive value, then the system memory should be checked and, if
necessary, increased.
Logged Records is the number of limit entries logged, both summary
and alert log records.
Log Failures is the number of times log entries have not been logged.
A non-zero, positive value for Log Failures indicates that the size of the kernel log buffer
is small. The kernel log buffer ipl_buff_sz should be set to an appropriate value.
Limits Added is the number of limit entries that have been
added.
Add Failures is the number of times a limit entry could not
be created. This happens when a state entry is not added. The output
of ipfstat -s should be used to further diagnose the problem.
These statistics are cumulative. They are automatically reset
to zero when the ipf module is unloaded and loaded again.
See “Additional
Configuration Information” for
more information on setting the size of the state table, limit table,
and log buffer.
The following is an example of the output information of the ipfstat -v-L option:
|
Type Rule Src IP Src Port Dest IP Dest Port Limit Current
S @0:3 10.39.1.2 * 10.133.1.5 80 50000 951 (0)
S @0:1 10.2.1.2 * 10.129.1.5 80 50000 942 (0)
U @0:1000 10.30.1.2 * 10.130.1.5 80 10 10(102)
U @0:1000 10.30.1.3 * 10.130.1.5 80 10 9 (501)
U @0:1000 10.30.1.4 * 10.130.1.5 80 10 10(100)
U @0:1000 10.30.1.5 * 10.130.1.5 80 10 10(118)
U @0:1000 10.30.1.6 * 10.130.1.5 80 10 10(196)
U @0:1000 10.30.1.7 * 10.130.1.5 80 10 10(198)
U @0:1000 10.30.1.8 * 10.130.1.5 80 10 10(104)
U @0:1000 10.30.1.0 * 10.130.1.5 80 10 10(111)
U @0:1000 10.49.1.2 * 10.131.1.5 80 10 10 (55)
U @0:1000 10.49.1.3 * 10.131.1.5 80 10 10 (53)
U @0:1000 10.49.1.4 * 10.131.1.5 80 10 10(102)
U @0:1000 10.49.1.5 * 10.131.1.5 80 10 9 (52)
U @0:1000 10.49.1.6 * 10.131.1.5 80 10 9 (52)
U @0:1000 10.49.1.7 * 10.131.1.5 80 10 10(103)
U @0:1000 10.49.1.8 * 10.131.1.5 80 10 10(120)
U @0:1000 10.49.1.9 * 10.131.1.5 80 10 10(50)
S @0:1000 10.40.1.2 * 10.134.1.5 80 50000 943(0)
U @0:1000 10.46.1.2 * 10.128.1.5 80 10 10 (49)
U @0:1000 10.46.1.3 * 10.128.1.5 80 10 10 (41) |
|
The Type column displays the type
of limit being kept:
I—Fully resolved individual IP
S—IP subnet
C—Cumulative
U—Unknown IP
These limit entries are created through the default rule.
See “DCA
Keywords” for detailed
information on the different types of limit entries.
The Rule column displays the rule number that caused
the creation of this limit entry. This information can in turn be
used to get per-rule statistics using the ipfstat -r command.
The third through sixth columns display IP-port
pairs of the TCP connection.
The Limit column displays the configured limit specified
in the keep limit rule.
The Current column displays the number of fully
established connections under that limit entry. The figure in the
parenthesis indicates the number of times the configured limit was
exceeded. For example, the first entry shows that, even though the
IP address 15.10.40.10 currently has two active connections, it
had exceeded the configured limit of 10 connections twice. These
numbers can serve as guide for adjusting and tuning the limit value
for an IP address or IP subnet.
The following is an example of the output information of the ipfstat -r <group:rule> option.
Limit Type Individual
Group:Rule Number @0:6
Configured Limit 7
Current connections 3
Limit Exceeded (#times) 33
TCP RSTs sent (#times) 33
In this example, rule number 6 created a limit entry of type Individual. The rule specifies a connection limit of 7. There
are three current connections using this rule. The limit has been
exceeded 33 times. return-rst was set, so a TCP reset was sent each time an attempt
was made to exceed the configured limit.
If the rule is deleted or switched to the inactive set, @(del) is displayed in the Group:Rule Number field.
Printable version
