— January 29, 2010

OpenBSD pf states monitoring

The simple recipe is to add this to root’s cron:

* * * * * /usr/bin/gmetric -c /etc/gmond.conf -n pf_states -v $(/usr/local/sbin/pftop -b | grep pfTop | cut -d/ -f2 | cut -d, -f1) -t int32 -d 120 2>&1 | logger -t pf_states

and install the pftop package along with a gmetric binary and a working /etc/gmond.conf configuration file. It might be advantageous to check for the maximum number of states as well.

In addition, you might want to know which pf rules are passing how much traffic. A nice easy way of doing this is to create this file as ./pfstates (make it executable, of course):

#!/usr/bin/perl
# pfstates
# jeff@ourexchange.net
my $limit = shift  || 0;

my $seg = 0;
my @s = [];

while (chomp( my $line = )) {
        $s[$seg] = $line;               
        if ($seg == 2) {
                $seg = 0;
                if ($s[1] !~ /States: 0/) {
                        my $states = 0;
                        if ($s[1] =~ m/States: (d )/) {
                                $states = $1;
                        }
                        if ($states >= $limit) {
                                print "[$states] $s[0]n";
                        }
                }
        } else {
                $seg  ;
        }
}

…. then you would pipe pfctl’s state output to it:

pfctl -v -s rules | ./pfstates

Optionally you could add a “minimum level” of connections you want to see:

pfctl -v -s rules | ./pfstates 100

for example to see only rules passing 100 or more active connections.