2019-08-27 16:05:40 +00:00
|
|
|
===========
|
|
|
|
Diagnostics
|
|
|
|
===========
|
|
|
|
|
|
|
|
-----------------------------------------
|
2021-07-24 10:49:40 +00:00
|
|
|
Aliases
|
2019-08-27 16:05:40 +00:00
|
|
|
-----------------------------------------
|
|
|
|
|
|
|
|
Detailed insight into loaded aliases and their content. When an alias has **Statistics** enabled, it will show these
|
|
|
|
too.
|
|
|
|
|
|
|
|
It's also possible to manually adjust the contents, using **Quick add address** or the delete button.
|
|
|
|
|
|
|
|
.. Note::
|
|
|
|
|
|
|
|
When deleting items, keep in mind that the regular update process might put the address (or network) back in, since
|
|
|
|
deletion isn't persistent.
|
|
|
|
|
|
|
|
.. Tip::
|
|
|
|
|
|
|
|
Use "Find references" to check if an address would match any configured aliases, which is very practical for debugging
|
|
|
|
purposes, since it will also check if an address fits a network (such as 10.0.0.2 fits in 10.0.0.0/24).
|
|
|
|
|
|
|
|
-----------------------------------------
|
2021-07-24 10:49:40 +00:00
|
|
|
Sessions
|
2019-08-27 16:05:40 +00:00
|
|
|
-----------------------------------------
|
|
|
|
|
2021-07-24 10:49:40 +00:00
|
|
|
Utilises `pftop <https://www.freebsd.org/cgi/man.cgi?query=pftop>`__ to offer a detailed view on the active sessions
|
|
|
|
and their traffic counters.
|
2019-08-27 16:05:40 +00:00
|
|
|
|
2022-12-22 10:34:26 +00:00
|
|
|
The following fields are available in the grid:
|
|
|
|
|
|
|
|
==========================================================================================================================
|
|
|
|
|
|
|
|
========================= ================================================================================================
|
|
|
|
Dir Direction (in :code:`->` or out :code:`<-`)
|
|
|
|
Proto Protocol in question
|
|
|
|
Source Source address and port
|
|
|
|
Gateway Address and port this session is being translated too using NAT
|
|
|
|
Destination Destination address and port
|
|
|
|
State State at source:destination, see tables in States section
|
|
|
|
Age (sec) The number of seconds since the state is created
|
|
|
|
Expires (sec) The number of seconds left before the state expires.
|
|
|
|
Pkts Number of packets processed by the state
|
|
|
|
Bytes Number of bytes processed by the state
|
|
|
|
Rule Rule this state (most likely) belongs to
|
|
|
|
========================= ================================================================================================
|
|
|
|
|
|
|
|
|
|
|
|
|
2019-08-27 16:05:40 +00:00
|
|
|
-----------------------------------------
|
2021-07-24 10:49:40 +00:00
|
|
|
States
|
2019-08-27 16:05:40 +00:00
|
|
|
-----------------------------------------
|
|
|
|
|
2021-07-24 10:49:40 +00:00
|
|
|
Insight into the state table (pf), offers the ability to search for specific states and removal.
|
|
|
|
It is also possible to reset all states and/or the source tracking tables from here, especially the state table
|
|
|
|
reset should be used with care as it drops all active connections.
|
2019-08-27 16:05:40 +00:00
|
|
|
|
2023-07-13 14:51:35 +00:00
|
|
|
If you use the grid search input to look for states, or you used the **Inspect** button on the firewall rules page and
|
|
|
|
opened the state view, you will see a button that allows you to kill all states that matched the criteria.
|
|
|
|
|
2022-12-22 10:34:26 +00:00
|
|
|
.. Note::
|
|
|
|
|
|
|
|
The state table tries to connect states to rules, but since these are refered to by rule number (sequence) in :code:`pf(4)`
|
|
|
|
these aren't always accurate after changes to the rules.
|
|
|
|
|
|
|
|
The following fields are available in the grid:
|
|
|
|
|
|
|
|
==========================================================================================================================
|
|
|
|
|
|
|
|
========================= ================================================================================================
|
|
|
|
State id Unique internal identifier describing the state and the origin (creator)
|
|
|
|
Int Bound to which interface, by default this is all unless " Bind states to interface" is set
|
|
|
|
in :menuselection:`Firewall->Settings->Advanced`
|
|
|
|
Dir Direction (in :code:`->` or out :code:`<-`)
|
|
|
|
Proto Protocol in question
|
|
|
|
Source Source address and port
|
|
|
|
Nat Address and port this session is being translated too using NAT
|
|
|
|
Destination Destination address and port
|
|
|
|
State State at source:destination,
|
|
|
|
see next tables for lists of states and their explanations available
|
|
|
|
Rule Rule this state (most likely) belongs to
|
|
|
|
Command Button to drop a specific state (State id)
|
|
|
|
========================= ================================================================================================
|
|
|
|
|
|
|
|
|
|
|
|
List of available TCP states (as defined by `RFC 793 <https://www.rfc-editor.org/rfc/rfc793>`__)
|
|
|
|
==========================================================================================================================
|
|
|
|
|
|
|
|
========================= ================================================================================================
|
|
|
|
LISTEN Represents waiting for a connection request from any remote TCP and port.
|
|
|
|
SYN_SENT Represents waiting for a matching connection request after having sent a connection request.
|
|
|
|
SYN_RCVD Represents waiting for a confirming connection request acknowledgment
|
|
|
|
after having both received and sent a connection request.
|
|
|
|
ESTABLISHED Represents an open connection, data received can be delivered to the user.
|
|
|
|
The normal state for the data transfer phase of the connection.
|
|
|
|
FIN_WAIT_1 Represents waiting for a connection termination request from the remote TCP,
|
|
|
|
or an acknowledgment of the connection termination request previously sent.
|
|
|
|
FIN_WAIT_2 Represents waiting for a connection termination request from the remote TCP.
|
|
|
|
CLOSE_WAIT Represents waiting for a connection termination request from the local user.
|
|
|
|
CLOSING Represents waiting for a connection termination request acknowledgment from the remote TCP.
|
|
|
|
LAST_ACK Represents waiting for an acknowledgment of the connection termination request
|
|
|
|
previously sent to the remote TCP (which includes an acknowledgment of
|
|
|
|
its connection termination request).
|
|
|
|
TIME_WAIT Represents waiting for enough time to pass to be sure the remote TCP received the
|
|
|
|
acknowledgment of its connection termination request.
|
|
|
|
CLOSED Represents no connection state at all
|
|
|
|
==========================================================================================================================
|
|
|
|
|
|
|
|
List of available UDP/Other states (man `pf.conf(5) <https://www.freebsd.org/cgi/man.cgi?pf.conf(5)>`__)
|
|
|
|
==========================================================================================================================
|
|
|
|
|
|
|
|
========================= ================================================================================================
|
|
|
|
NO_TRAFFIC No traffic for this direction
|
|
|
|
SINGLE The state if the source host sends more than one packet but the destination host has never sent one back.
|
|
|
|
MULTIPLE The state if both hosts have sent packets.
|
|
|
|
========================= ================================================================================================
|
|
|
|
|
|
|
|
|
2019-08-27 16:05:40 +00:00
|
|
|
-----------------------------------------
|
2021-12-01 08:31:48 +00:00
|
|
|
Statistics
|
2019-08-27 16:05:40 +00:00
|
|
|
-----------------------------------------
|
|
|
|
|
2021-07-24 10:49:40 +00:00
|
|
|
Various detailed statistics gathered from `pfctl <https://www.freebsd.org/cgi/man.cgi?query=pfctl>`__,
|
|
|
|
such as packet counters per interface, memory limits, configured timeouts and detailed active rules.
|