[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: hits on group head not equal total hist of every rules in that group, why ?
From: "edwin chen" <e.chen () rmgasia ! com>
Date: 2003-12-16 18:45:28
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hi, sorry for send a long mail. I believe ipfstat count rule hits in this way:
hits on group head = total hits of every rules in that group
but I very interest why hits on "head 2000" not equal total hits of every rules in \
group 2000.
server# ipfstat -ho
428 block out log quick on tun0 from any to any head 1000
0 pass out quick on tun0 proto tcp from any to any keep state group 1000
428 pass out quick on tun0 proto udp from any to any keep state group 1000
0 pass out quick on tun0 proto icmp from any to any keep state group 1000
0 pass out quick on tun0 proto gre from any to any keep state group 1000
3 block out log quick on xl0 from any to any head 3000
0 pass out quick on xl0 proto tcp from any to 192.168.1.0/24 keep state group 3000
3 pass out quick on xl0 proto udp from any to 192.168.1.0/24 keep state group 3000
0 pass out quick on xl0 proto icmp from any to 192.168.1.0/24 keep state group 3000
0 pass out quick on xl0 proto gre from any to 192.168.1.0/24 keep state group 3000
264 pass out quick on lo0 from any to any
server# ipfstat -hi
30 block in log quick on tun0 from any to any head 2000
0 block in log quick on tun0 from 192.168.0.0/16 to any group 2000
0 block in log quick on tun0 from 172.16.0.0/12 to any group 2000
0 block in log quick on tun0 from 10.0.0.0/8 to any group 2000
0 block in log quick on tun0 from 127.0.0.0/8 to any group 2000
0 block in log quick on tun0 from 0.0.0.0/8 to any group 2000
0 block in log quick on tun0 from 169.254.0.0/16 to any group 2000
0 block in log quick on tun0 from 192.0.2.0/24 to any group 2000
0 block in log quick on tun0 from 204.152.64.0/23 to any group 2000
0 block in quick on tun0 from 224.0.0.0/3 to any group 2000
0 pass in quick on tun0 proto tcp from any to 192.168.1.196/32 port 6880 >< 6886 \
flags S/FSRPAU keep state keep frags group 2000 0 pass in quick on tun0 proto tcp \
from any to 192.168.1.99/32 port 6885 >< 6888 flags S/FSRPAU keep state keep frags \
group 2000 30 block return-rst in log quick on tun0 proto tcp from any to any flags \
S/FSRPAU group 2000 7 block in log quick on tun0 proto tcp from any to any group 2000
2 block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any to any \
group 2000 68 block in log quick on xl0 from any to any head 4000
0 block in log quick on xl0 proto tcp from 192.168.1.0/24 to any port = 445 group \
4000 0 block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from \
192.168.1.0/24 to 172.16.0.0/12 group 4000 0 block return-rst in log quick on xl0 \
proto tcp from 192.168.1.0/24 to 172.16.0.0/12 group 4000 59 pass in quick on xl0 \
proto tcp from 192.168.1.0/24 to any keep state group 4000 9 pass in quick on xl0 \
proto udp from 192.168.1.0/24 to any keep state group 4000 0 pass in quick on xl0 \
proto icmp from 192.168.1.0/24 to any keep state group 4000 0 pass in quick on xl0 \
proto gre from 192.168.1.0/24 to any keep state group 4000 0 pass in quick on xl0 \
proto udp from any port = 68 to 255.255.255.255/32 port = 67 keep state group 4000 \
264 pass in quick on lo0 from any to any
server# ipfstat -hi
54 block in log quick on tun0 from any to any head 2000
0 block in log quick on tun0 from 192.168.0.0/16 to any group 2000
0 block in log quick on tun0 from 172.16.0.0/12 to any group 2000
0 block in log quick on tun0 from 10.0.0.0/8 to any group 2000
0 block in log quick on tun0 from 127.0.0.0/8 to any group 2000
0 block in log quick on tun0 from 0.0.0.0/8 to any group 2000
0 block in log quick on tun0 from 169.254.0.0/16 to any group 2000
0 block in log quick on tun0 from 192.0.2.0/24 to any group 2000
0 block in log quick on tun0 from 204.152.64.0/23 to any group 2000
0 block in quick on tun0 from 224.0.0.0/3 to any group 2000
0 pass in quick on tun0 proto tcp from any to 192.168.1.196/32 port 6880 >< 6886 \
flags S/FSRPAU keep state keep frags group 2000 0 pass in quick on tun0 proto tcp \
from any to 192.168.1.99/32 port 6885 >< 6888 flags S/FSRPAU keep state keep frags \
group 2000 60 block return-rst in log quick on tun0 proto tcp from any to any flags \
S/FSRPAU group 2000 7 block in log quick on tun0 proto tcp from any to any group 2000
3 block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any to any \
group 2000 80 block in log quick on xl0 from any to any head 4000
0 block in log quick on xl0 proto tcp from 192.168.1.0/24 to any port = 445 group \
4000 0 block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from \
192.168.1.0/24 to 172.16.0.0/12 group 4000 0 block return-rst in log quick on xl0 \
proto tcp from 192.168.1.0/24 to 172.16.0.0/12 group 4000 63 pass in quick on xl0 \
proto tcp from 192.168.1.0/24 to any keep state group 4000 17 pass in quick on xl0 \
proto udp from 192.168.1.0/24 to any keep state group 4000 0 pass in quick on xl0 \
proto icmp from 192.168.1.0/24 to any keep state group 4000 0 pass in quick on xl0 \
proto gre from 192.168.1.0/24 to any keep state group 4000 0 pass in quick on xl0 \
proto udp from any port = 68 to 255.255.255.255/32 port = 67 keep state group 4000 \
374 pass in quick on lo0 from any to any
regards
edwin chen
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=gb2312">
<META content="MSHTML 6.00.2800.1276" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2>Hi, sorry for send a long mail. I believe ipfstat count rule
hits in this way:</FONT></DIV>
<DIV><FONT size=2> hits on group head = total
hits of every rules in that group </FONT></DIV>
<DIV><FONT size=2>but I very interest why hits on "</FONT><FONT size=2>head
2000" not equal total hits of every rules in group 2000. </FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>server# ipfstat -ho<BR>428 block out log quick on tun0 from
any to any head 1000<BR>0 pass out quick on tun0 proto tcp from any to any keep
state group 1000<BR>428 pass out quick on tun0 proto udp from any to any keep
state group 1000<BR>0 pass out quick on tun0 proto icmp from any to any keep
state group 1000<BR>0 pass out quick on tun0 proto gre from any to any keep
state group 1000<BR>3 block out log quick on xl0 from any to any head 3000<BR>0
pass out quick on xl0 proto tcp from any to 192.168.1.0/24 keep state group
3000<BR>3 pass out quick on xl0 proto udp from any to 192.168.1.0/24 keep state
group 3000<BR>0 pass out quick on xl0 proto icmp from any to 192.168.1.0/24 keep
state group 3000<BR>0 pass out quick on xl0 proto gre from any to 192.168.1.0/24
keep state group 3000<BR>264 pass out quick on lo0 from any to any<BR>server#
ipfstat -hi<BR>30 block in log quick on tun0 from any to any head 2000<BR>0
block in log quick on tun0 from 192.168.0.0/16 to any group 2000<BR>0 block in
log quick on tun0 from 172.16.0.0/12 to any group 2000<BR>0 block in log quick
on tun0 from 10.0.0.0/8 to any group 2000<BR>0 block in log quick on tun0 from
127.0.0.0/8 to any group 2000<BR>0 block in log quick on tun0 from 0.0.0.0/8 to
any group 2000<BR>0 block in log quick on tun0 from 169.254.0.0/16 to any group
2000<BR>0 block in log quick on tun0 from 192.0.2.0/24 to any group 2000<BR>0
block in log quick on tun0 from 204.152.64.0/23 to any group 2000<BR>0 block in
quick on tun0 from 224.0.0.0/3 to any group 2000<BR>0 pass in quick on tun0
proto tcp from any to 192.168.1.196/32 port 6880 >< 6886 flags S/FSRPAU
keep state keep frags group 2000<BR>0 pass in quick on tun0 proto tcp from any
to 192.168.1.99/32 port 6885 >< 6888 flags S/FSRPAU keep state keep frags
group 2000<BR>30 block return-rst in log quick on tun0 proto tcp from any to any
flags S/FSRPAU group 2000<BR>7 block in log quick on tun0 proto tcp from any to
any group 2000<BR>2 block return-icmp-as-dest(port-unr) in log quick on tun0
proto udp from any to any group 2000<BR>68 block in log quick on xl0 from any to
any head 4000<BR>0 block in log quick on xl0 proto tcp from 192.168.1.0/24 to
any port = 445 group 4000<BR>0 block return-icmp-as-dest(port-unr) in log quick
on xl0 proto udp from 192.168.1.0/24 to 172.16.0.0/12 group 4000<BR>0 block
return-rst in log quick on xl0 proto tcp from 192.168.1.0/24 to 172.16.0.0/12
group 4000<BR>59 pass in quick on xl0 proto tcp from 192.168.1.0/24 to any keep
state group 4000<BR>9 pass in quick on xl0 proto udp from 192.168.1.0/24 to any
keep state group 4000<BR>0 pass in quick on xl0 proto icmp from 192.168.1.0/24
to any keep state group 4000<BR>0 pass in quick on xl0 proto gre from
192.168.1.0/24 to any keep state group 4000<BR>0 pass in quick on xl0 proto udp
from any port = 68 to 255.255.255.255/32 port = 67 keep state group 4000<BR>264
pass in quick on lo0 from any to any<BR></FONT></DIV>
<DIV><FONT size=2>server# ipfstat -hi<BR>54 block in log quick on tun0 from any
to any head 2000<BR>0 block in log quick on tun0 from 192.168.0.0/16 to any
group 2000<BR>0 block in log quick on tun0 from 172.16.0.0/12 to any group
2000<BR>0 block in log quick on tun0 from 10.0.0.0/8 to any group 2000<BR>0
block in log quick on tun0 from 127.0.0.0/8 to any group 2000<BR>0 block in log
quick on tun0 from 0.0.0.0/8 to any group 2000<BR>0 block in log quick on tun0
from 169.254.0.0/16 to any group 2000<BR>0 block in log quick on tun0 from
192.0.2.0/24 to any group 2000<BR>0 block in log quick on tun0 from
204.152.64.0/23 to any group 2000<BR>0 block in quick on tun0 from 224.0.0.0/3
to any group 2000<BR>0 pass in quick on tun0 proto tcp from any to
192.168.1.196/32 port 6880 >< 6886 flags S/FSRPAU keep state keep frags
group 2000<BR>0 pass in quick on tun0 proto tcp from any to 192.168.1.99/32 port
6885 >< 6888 flags S/FSRPAU keep state keep frags group 2000<BR>60 block
return-rst in log quick on tun0 proto tcp from any to any flags S/FSRPAU group
2000<BR>7 block in log quick on tun0 proto tcp from any to any group 2000<BR>3
block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any to
any group 2000<BR>80 block in log quick on xl0 from any to any head 4000<BR>0
block in log quick on xl0 proto tcp from 192.168.1.0/24 to any port = 445 group
4000<BR>0 block return-icmp-as-dest(port-unr) in log quick on xl0 proto udp from
192.168.1.0/24 to 172.16.0.0/12 group 4000<BR>0 block return-rst in log quick on
xl0 proto tcp from 192.168.1.0/24 to 172.16.0.0/12 group 4000<BR>63 pass in
quick on xl0 proto tcp from 192.168.1.0/24 to any keep state group 4000<BR>17
pass in quick on xl0 proto udp from 192.168.1.0/24 to any keep state group
4000<BR>0 pass in quick on xl0 proto icmp from 192.168.1.0/24 to any keep state
group 4000<BR>0 pass in quick on xl0 proto gre from 192.168.1.0/24 to any keep
state group 4000<BR>0 pass in quick on xl0 proto udp from any port = 68 to
255.255.255.255/32 port = 67 keep state group 4000<BR>374 pass in quick on lo0
from any to any<BR></FONT></DIV>
<DIV><FONT size=2>regards</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>edwin chen</DIV></FONT></BODY></HTML>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic