Visualizing IP Filter and PF state tables

IP Filter is a stateful packet inspecting firewall that ships with FreeBSD and Solaris 10. Stateful packet inspecting firewalls use a state table to maintain established connections, which allows packets to traverse the firewall if they are part of an existing established connection. IP filter comes with the ipfstat(1m) utility, which can be used to print connection statistics, rule definitions, and active connection. When ipfstat(1m) is invoked with the “-t” (Show the state table in a way similar to the way the Unix utility, top, shows the process table) option, a text-based graphical representation of the firewall is continuosly displayed:

$ ipfstat -t

                 sparky - IP Filter: v4.0.2 - state top                 10:47:32

Src = 0.0.0.0  Dest = 0.0.0.0  Proto = any  Sorted by = # bytes

Source IP             Destination IP         ST   PR   #pkts    #bytes       ttl
12.6.4.12,32776   1.2.5.4,22        B/7  tcp     140     10112      0:00
12.6.4.12,32775   1.2.5.3,22        B/7  tcp     134      9872      0:00

To adjust the refresh interval, an integer value can be passed to ipfstat’s “-T” (Specifies how often the state top display should be updated) option:

$ ipfstat -t -T 10

                 sparky - IP Filter: v4.0.2 - state top                 10:47:32

Src = 0.0.0.0  Dest = 0.0.0.0  Proto = any  Sorted by = # bytes

Source IP             Destination IP         ST   PR   #pkts    #bytes       ttl
12.6.4.12,32776   1.2.5.4,22        B/7  tcp     140     10112      0:00
12.6.4.12,32775   1.2.5.3,22        B/7  tcp     134      9872      0:00

If you are using the PF firewall, you can use pftop(8) to get a text-based graphical representation of the PF state table:

$ pftop

pfTop: Up State 1-3/3, View: default, Order: none, Cache: 10000                              09:37:53

PR   DIR SRC                 DEST                           STATE                AGE       EXP     PKTS    BYTES
tcp  Out 192.168.1.8:49359   66.102.15.101:80      ESTABLISHED:ESTABLISHED  19:29:55  04:30:08        5      676

To adjust pftop(8)’s refresh interval, an integer value can be passed to pftop(8)’s “-s” (Set the delay between display updates to time seconds) option:

$ pftop -t -T 10

pfTop: Up State 1-3/3, View: default, Order: none, Cache: 10000                              09:37:53

PR   DIR SRC                 DEST                           STATE                AGE       EXP     PKTS    BYTES
tcp  Out 192.168.1.8:49359   66.102.15.101:80      ESTABLISHED:ESTABLISHED  19:29:55  04:30:08        5      676

I find myself frequently using these utilities, and find them super useful!

matty on October 8, 2005 | Filed Under OpenBSD Security, Solaris Security

Leave a Comment