ipfstat is great for collecting snapshots of what's going on on the system,
but it's often handy to have some kind of log to look at and watch events as they happen
in time. ipmon is this tool. ipmon is capable of watching the packet log
(as created with the log keyword in your rules), the state log, or the nat log,
or any combination of the three. This tool can either be run in the foreground, or as a
daemon which logs to syslog or a file. If we wanted to watch the state table in action, ipmon
-o S would show this:
# ipmon -o S
01/08/1999 15:58:57.836053 STATE:NEW 100.100.100.1,53 -> 18.104.22.168,53 PR udp
01/08/1999 15:58:58.030815 STATE:NEW 22.214.171.124,123 -> 126.96.36.199,123 PR udp
01/08/1999 15:59:18.032174 STATE:NEW 188.8.131.52,123 -> 184.108.40.206,123 PR udp
01/08/1999 15:59:24.570107 STATE:EXPIRE 100.100.100.1,53 -> 220.127.116.11,53 PR udp Pkts 4 Bytes 356
01/08/1999 16:03:51.754867 STATE:NEW 18.104.22.168,1019 -> 100.100.100.10,22 PR tcp
01/08/1999 16:04:03.070127 STATE:EXPIRE 22.214.171.124,1019 -> 100.100.100.10,22 PR tcp Pkts 63 Bytes 4604
Here we see a state entry for an external dns request off our nameserver, two xntp pings to well-known time servers, and a very short lived outbound ssh connection.
ipmon is also capable of showing us what packets have been logged. For
example, when using state, you'll often run into packets like this:
# ipmon -o I
15:57:33.803147 ppp0 @0:2 b 100.100.100.103,443 -> 126.96.36.199,4923 PR tcp len 20 1488 -A
What does this mean? The first field is obvious, it's a timestamp. The second field is also pretty obvious, it's the interface that this event happened on. The third field @0:2 is something most people miss. This is the rule that caused the event to happen. Remember ipfstat -in? If you wanted to know where this came from, you could look there for rule 2 in rule group 0. The fourth field, the little "b" says that this packet was blocked, and you'll generally ignore this unless you're logging passed packets as well, which would be a little "p" instead. The fifth and sixth fields are pretty self-explanatory, they say where this packet came from and where it was going. The seventh ("PR") and eighth fields tell you the protocol and the ninth field tells you the size of the packet. The last part, the "-A" in this case, tells you the flags that were on the packet; This one was an ACK packet. Why did I mention state earlier? Due to the often laggy nature of the Internet, sometimes packets will be regenerated. Sometimes, you'll get two copies of the same packet, and your state rule which keeps track of sequence numbers will have already seen this packet, so it will assume that the packet is part of a different connection. Eventually this packet will run into a real rule and have to be dealt with. You'll often see the last packet of a session being closed get logged because the keep state code has already torn down the connection before the last packet has had a chance to make it to your firewall. This is normal, do not be alarmed. [[dagger]] [[footnote: [[dagger]] For a technical presentation of the IP Filter stateful inspection engine, please see the white paper Real Stateful TCP Packet Filtering in IP Filter, by Guido van Rooij. This paper may be found at <http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz> ]] Another example packet that might be logged:
12:46:12.470951 xl0 @0:1 S 188.8.131.52 -> 255.255.255.255 PR icmp len 20 9216 icmp 9/0
This is a ICMP router discovery broadcast. We can tell by the ICMP type 9/0.
Finally, ipmon also lets us look at the NAT table in action.
# ipmon -o N
01/08/1999 05:30:02.466114 @2 NAT:RDR 184.108.40.206,113 <- -> 220.127.116.11,113 [100.100.100.13,45816]
01/08/1999 05:30:31.990037 @2 NAT:EXPIRE 18.104.22.168,113 <- -> 22.214.171.124,113 [100.100.100.13,45816] Pkts 10 Bytes 455
This would be a redirection to an identd that lies to provide ident service for the hosts behind our NAT, since they are typically unable to provide this service for themselves with ordinary natting.
0. Specific Applications of IP Filter - Things that don't fit, but should be mentioned anyway.