From 61e9d6d7d10b85dbf24512d7dbf6e1dbff206472 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Tue, 27 Aug 2019 18:05:40 +0200 Subject: [PATCH] rearrange diagnostics pages and add some more context --- source/firewall.rst | 2 +- source/interfaces.rst | 2 +- source/manual/diagnostics.rst | 33 ----------- source/manual/diagnostics_firewall.rst | 64 ++++++++++++++++++++ source/manual/diagnostics_interfaces.rst | 75 ++++++++++++++++++++++++ source/manual/diagnostics_system.rst | 32 ++++++++++ source/system.rst | 2 +- 7 files changed, 174 insertions(+), 36 deletions(-) delete mode 100644 source/manual/diagnostics.rst create mode 100644 source/manual/diagnostics_firewall.rst create mode 100644 source/manual/diagnostics_interfaces.rst create mode 100644 source/manual/diagnostics_system.rst diff --git a/source/firewall.rst b/source/firewall.rst index ed69c067..ce284728 100644 --- a/source/firewall.rst +++ b/source/firewall.rst @@ -27,7 +27,7 @@ These are all combined in the firewall section. manual/how-tos/shaper manual/how-tos/carp manual/logging_firewall - manual/diagnostics + manual/diagnostics_firewall --------------- diff --git a/source/interfaces.rst b/source/interfaces.rst index bd0bc6da..30318897 100644 --- a/source/interfaces.rst +++ b/source/interfaces.rst @@ -16,11 +16,11 @@ All traffic flowing through your appliance is using (virtual) interfaces, this i :titlesonly: manual/interfaces - manual/diagnostics manual/interfaces_settings manual/other-interfaces manual/mobile_wan manual/ipv6 + manual/diagnostics_interfaces manual/logging_interfaces --------------- diff --git a/source/manual/diagnostics.rst b/source/manual/diagnostics.rst deleted file mode 100644 index a61dfaae..00000000 --- a/source/manual/diagnostics.rst +++ /dev/null @@ -1,33 +0,0 @@ -=========== -Diagnostics -=========== - -In order to get more insight into your network, and to help solve problems, OPNsense contains several diagnostic tools. - -The tools can be found in three places: - -* :menuselection:`System --> Diagnostics` -* :menuselection:`Interfaces --> Diagnostics` (plus one under :menuselection:`Interfaces --> Overview` -* :menuselection:`Firewall --> Diagnostics` - -The following tools are available: - -================================================================== =========================================================================== - :menuselection:`System --> Diagnostics --> Activity` Show executed commands - :menuselection:`System --> Diagnostics --> Services` Shows running services, allows starting/stopping/restarting - :menuselection:`Interfaces --> Diagnostics --> ARP Table` Show ARP table, which lists local connected IPv4 peers - :menuselection:`Interfaces --> Diagnostics --> DNS Lookup` Easy lookup of IPs and A records that belong to a hostname - :menuselection:`Interfaces --> Diagnostics --> NDP Table` Show NDP table, which lists local connected IPv6 peers - :menuselection:`Interfaces --> Diagnostics --> Packet capture` Capture packets travelling through an interface - :menuselection:`Interfaces --> Diagnostics --> Ping` Ping a hostname or IP address - :menuselection:`Interfaces --> Diagnostics --> Port Probe` Test if a host has a certain TCP port open and accepts connections on it - :menuselection:`Interfaces --> Diagnostics --> Trace Route` Trace route to a hostname or IP address - :menuselection:`Interfaces --> Overview` Shows status, addresses, packet counts, etc. per interface - :menuselection:`Firewall --> Diagnostics --> pfInfo` General information and statistics for pf - :menuselection:`Firewall --> Diagnostics --> pfTop` Currently active pf states and routes - :menuselection:`Firewall --> Diagnostics --> pfTables` Shows IP addresses belonging to aliases - :menuselection:`Firewall --> Diagnostics --> Sockets` Shows listening sockets for IPv4 and IPv6 - :menuselection:`Firewall --> Diagnostics --> States Dump` Currently active states - :menuselection:`Firewall --> Diagnostics --> States Reset` Delete active states and source tracking (cancels connections) - :menuselection:`Firewall --> Diagnostics --> States Summary` Show states sorted by criteria like source IP, destination IP, … -================================================================== =========================================================================== diff --git a/source/manual/diagnostics_firewall.rst b/source/manual/diagnostics_firewall.rst new file mode 100644 index 00000000..3874b8e7 --- /dev/null +++ b/source/manual/diagnostics_firewall.rst @@ -0,0 +1,64 @@ +=========== +Diagnostics +=========== + +----------------------------------------- +pfInfo +----------------------------------------- + +Various detailed statistics gathered from `pfctl `__, +such as packet counters per interface, memory limits, configured timeouts and detailed active rules. + +----------------------------------------- +pfTop +----------------------------------------- + +`pftop `__ displays the active packetfilter states and rules, and periodically updates this information. + +----------------------------------------- +pfTables +----------------------------------------- + +Detailed insight into loaded aliases and their content. When an alias has **Statistics** enabled, it will show these +too. + +It's also possible to manually adjust the contents, using **Quick add address** or the delete button. + +.. Note:: + + When deleting items, keep in mind that the regular update process might put the address (or network) back in, since + deletion isn't persistent. + +.. Tip:: + + Use "Find references" to check if an address would match any configured aliases, which is very practical for debugging + purposes, since it will also check if an address fits a network (such as 10.0.0.2 fits in 10.0.0.0/24). + + +----------------------------------------- +Sockets +----------------------------------------- + +Shows listening (or all) sockets for IPv4 and IPv6 + +----------------------------------------- +States Dump +----------------------------------------- + +Insight into the state table (pf), offers the ability to search for specific states and removal. + +----------------------------------------- +States Reset +----------------------------------------- + +Delete all active states and source tracking (cancels connections) + +.. Warning:: + + Handle with care, a state reset will discard all active connections, in which case clients might have to reconnect + +----------------------------------------- +States Summary +----------------------------------------- + +Show states sorted by criteria like source IP, destination IP, … diff --git a/source/manual/diagnostics_interfaces.rst b/source/manual/diagnostics_interfaces.rst new file mode 100644 index 00000000..f345dc57 --- /dev/null +++ b/source/manual/diagnostics_interfaces.rst @@ -0,0 +1,75 @@ +=========== +Diagnostics +=========== + +The interface diagnostics page contains various tools to help debug network issues. + +--------------------- +ARP Table +--------------------- + +The `ARP `__ table module shows all MAC addresses known by this firewall. + +============================================================================================================================================== + +=========================== ================================================================================================================== +IP IPv4 address +MAC `MAC `__ address +Manufacturer Manufacturer looked up with the mac address above +Interface Associated interface +Interface name The name of the interface if found +Hostname In case of a DHCPv4 client, the hostname when found in the leases file +=========================== ================================================================================================================== + +--------------------- +DNS Lookup +--------------------- + +Perform a quick dns lookup from the firewall. + +--------------------- +NDP Table +--------------------- + +Show addresses learned by the `Neighbor Discovery Protocol `__ for IPv6. + +============================================================================================================================================== + +=========================== ================================================================================================================== +IPv6 IPv6 address +MAC `MAC `__ address +Manufacturer Manufacturer looked up with the mac address above +Interface Associated interface +Interface name The name of the interface if found +=========================== ================================================================================================================== + + +--------------------- +Packet capture +--------------------- + +The packet capture module can be used to deep dive into traffic passing a (or multiple) network interfaces. +It has some options you can choose from, such as the interface to listen on, protocol you interested in and +host to track. + +Packet capture uses `tcpdump `__ and runs in the background. After a capture is performed you can +either look into it using the **View capture** button or download the pcap file to inspect it in an external tool, such as `Wireshark `__. + +--------------------- +Ping +--------------------- + +Use ping to establish if a remote host can be reached using ICMP. + +--------------------- +Port Probe +--------------------- + +Test if a host has a certain TCP port open and accepts connections on it. + +--------------------- +Trace Route +--------------------- + +Use `traceroute `__ / `traceroute6 `__ +to measure the path traffic would follow when trying to reach a specific host. diff --git a/source/manual/diagnostics_system.rst b/source/manual/diagnostics_system.rst new file mode 100644 index 00000000..00bd5916 --- /dev/null +++ b/source/manual/diagnostics_system.rst @@ -0,0 +1,32 @@ +=========== +Diagnostics +=========== + +------------------------------- +Activity +------------------------------- + +The activity module shows current active processes and their details, you can search within the list of activities, fetch +general information (like load averages, number of processes, etc.) using the info button in the footer of the grid. + +============================================================================================================================================== + +=========================== ================================================================================================================== +PID The process id of this process +USERNAME Username executed this process +PRI Current priority of the process +NICE NICE is the `nice `__ amount (in the range -20 to 20) +SIZE Total size of the process (text, data, and stack) +RES Current amount of resident memory, RAM currently in use by the process +C is the processor number on which the process is executing (visible only on SMP systems) +TIME The number of system and user cpu seconds that the process has used +WCPU Weighted cpu percentage +COMMAND Command string +=========================== ================================================================================================================== + + +------------------------------- +Services +------------------------------- + +The services page shows the configured services and status, you can stop/start/restart all of them here. diff --git a/source/system.rst b/source/system.rst index fccc352c..2de6a49a 100644 --- a/source/system.rst +++ b/source/system.rst @@ -27,7 +27,7 @@ activities. manual/settingsmenu manual/certificates manual/logging_system - manual/diagnostics + manual/diagnostics_system ---------------