You need to use the pfctl command that communicates with the packet filter. It allows ruleset and parameter configuration and retrieval of status information from the packet filter. The syntax is:pfctl -sr
OR
pfctl -ar
How do I see the current firewall rules
# pfctl -srSample outputs:
pass all flags S/SA block drop in on vr0 inet proto tcp from any to ! 202.54.1.2 port = 3306 block drop in on vr0 inet proto tcp from any to ! 202.54.1.10 port = 3306 block drop in on vr0 inet proto tcp from any to ! 202.54.1.15 port = 3306 block drop in on ! lo0 proto tcp from any to any port 6000:6010
How do I see the current firewall state table?
# pfctl -ss
Sample outputs:all udp 255.255.255.255:17500 <- 192.168.1.104:17500 NO_TRAFFIC:SINGLE all udp 192.168.1.255:17500 <- 192.168.1.104:17500 NO_TRAFFIC:SINGLE
How do I see filter stats and counters?
# pfctl -si
Sample outputs:
Fig.01: PF firewall in action
You can also use the following command to see EVERYTHING:
# pfctl -sa
# pfctl -sa |more
# pfctl -sa |less
# pfctl -sa |grep somethingSample outputs:
FILTER RULES:
pass all flags S/SA block drop in on vr0 inet proto tcp from any to ! 202.54.1.2 port = 3306 block drop in on vr0 inet proto tcp from any to ! 202.54.1.10 port = 3306 block drop in on vr0 inet proto tcp from any to ! 202.54.1.15 port = 3306 block drop in on ! lo0 proto tcp from any to any port 6000:6010 No queue in use STATES: all udp 192.168.1.255:17500 <- 192.168.1.104:17500 NO_TRAFFIC:SINGLE all tcp 192.168.1.20:22 <- 192.168.1.5:56534 FIN_WAIT_2:FIN_WAIT_2 all udp 255.255.255.255:17500 <- 192.168.1.104:17500 NO_TRAFFIC:SINGLE all tcp 192.168.1.20:22 <- 192.168.1.5:56535 ESTABLISHED:ESTABLISHED
INFO: Status: Enabled for 0 days 00:12:07 Debug: err State Table Total Rate current entries 4 searches 335 0.5/s inserts 13 0.0/s removals 9 0.0/s Counters match 13 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 200000 OS FINGERPRINTS: 700 fingerprints loaded
No comments:
Post a Comment
LIFE is no difference between me, you, and them !!!