Diagnostics

Aliases

Detailed insight into loaded aliases and their content. When an alias has Statistics enabled, it will show these too.

It’s also possible to manually adjust the contents, using Quick add address or the delete button.

Note

When deleting items, keep in mind that the regular update process might put the address (or network) back in, since deletion isn’t persistent.

Tip

Use “Find references” to check if an address would match any configured aliases, which is very practical for debugging purposes, since it will also check if an address fits a network (such as 10.0.0.2 fits in 10.0.0.0/24).

Sessions

Utilises pftop to offer a detailed view on the active sessions and their traffic counters.

The following fields are available in the grid:


Dir

Direction (in -> or out <-)

Proto

Protocol in question

Source

Source address and port

Gateway

Address and port this session is being translated too using NAT

Destination

Destination address and port

State

State at source:destination, see tables in States section

Age (sec)

The number of seconds since the state is created

Expires (sec)

The number of seconds left before the state expires.

Pkts

Number of packets processed by the state

Bytes

Number of bytes processed by the state

Rule

Rule this state (most likely) belongs to

States

Insight into the state table (pf), offers the ability to search for specific states and removal. It is also possible to reset all states and/or the source tracking tables from here, especially the state table reset should be used with care as it drops all active connections.

If you use the grid search input to look for states, or you used the Inspect button on the firewall rules page and opened the state view, you will see a button that allows you to kill all states that matched the criteria.

Note

The state table tries to connect states to rules, but since these are refered to by rule number (sequence) in pf(4) these aren’t always accurate after changes to the rules.

The following fields are available in the grid:


State id

Unique internal identifier describing the state and the origin (creator)

Int

Bound to which interface, by default this is all unless ” Bind states to interface” is set in Firewall->Settings->Advanced

Dir

Direction (in -> or out <-)

Proto

Protocol in question

Source

Source address and port

Nat

Address and port this session is being translated too using NAT

Destination

Destination address and port

State

State at source:destination, see next tables for lists of states and their explanations available

Rule

Rule this state (most likely) belongs to

Command

Button to drop a specific state (State id)

List of available TCP states (as defined by RFC 793)

LISTEN

Represents waiting for a connection request from any remote TCP and port.

SYN_SENT

Represents waiting for a matching connection request after having sent a connection request.

SYN_RCVD

Represents waiting for a confirming connection request acknowledgment after having both received and sent a connection request.

ESTABLISHED

Represents an open connection, data received can be delivered to the user. The normal state for the data transfer phase of the connection.

FIN_WAIT_1

Represents waiting for a connection termination request from the remote TCP, or an acknowledgment of the connection termination request previously sent.

FIN_WAIT_2

Represents waiting for a connection termination request from the remote TCP.

CLOSE_WAIT

Represents waiting for a connection termination request from the local user.

CLOSING

Represents waiting for a connection termination request acknowledgment from the remote TCP.

LAST_ACK

Represents waiting for an acknowledgment of the connection termination request previously sent to the remote TCP (which includes an acknowledgment of its connection termination request).

TIME_WAIT

Represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.

CLOSED Represents no connection state at all

List of available UDP/Other states (man pf.conf(5))

NO_TRAFFIC

No traffic for this direction

SINGLE

The state if the source host sends more than one packet but the destination host has never sent one back.

MULTIPLE

The state if both hosts have sent packets.

Statistics

Various detailed statistics gathered from pfctl, such as packet counters per interface, memory limits, configured timeouts and detailed active rules.