Re: PF Statistics

> On Aug 14, 2025, at 23:56, Arthur Chance <freebsd@qeng-ho.org> wrote:
> 
> On 14/08/2025 21:03, Kevin Oberman wrote:
>> On Wed, Aug 13, 2025 at 11:06 PM Doug Hardie <bc979@lafn.org
>> <mailto:bc979@lafn.org>> wrote:
>> 
>>> On Jun 15, 2025, at 09:36, Doug Hardie <bc979@lafn.org
>>    <mailto:bc979@lafn.org>> wrote:
>>> 
>>> I have been running pftop for several days.  Some of the PKTS
>>    counts were non-zero yestarday.  Today they are zero.  The others
>>    appear to be reasonable, as in not cleared recently.  Table
>>    statistics include the date/time when the numbers were last
>>    cleared.  I could not find anything similar for rules.  For example
>>    I have a block of anything coming in on the telnet port.  Last night
>>    it showed 290 PKTS.  Today it shows zero.  Is there something in pf
>>    that periodically clears the statistics?  I couldn't find anything
>>    in the documentation that addresses this.  Thanks,
>>> 
>>> 
>>> Update:  today it appears that all of the PKTS counts were cleared.
>> 
>>    After a lot of testing, I have found that the counters are cleared
>>    daily between 0301 and 0302.  I am not finding any cron activations
>>    in that timeframe that appear to affect pf.  Is this clearing built
>>    into pf?
>> 
>>    -- Doug
>> 
>> 
>> Have you looked at periodic(8)? By default the daily runs at 0300 pluss
>> or minus a fuzz value
> 
> /etc/periodic/security/520.pfdenied, line 46:
> 
> pfctl -a "${_a}" -sr -v -z 2>/dev/null | \
> 
> That -z clears statistics.

Sure does.  Somehow I missed that line.  Thanks.  Now I understand what is happening.

-- Doug