[pf4freebsd] Re: pf and netstat
Max Laier
max at love2party.net
Wed Sep 15 20:57:19 PDT 2004
Hello c.s.r.c.murthy,
Thursday, November 20, 2003, 6:39:34 AM, you wrote:
csrcm> Pf is able to distribute user http requests over 2 internet links.
csrcm> But netstat is unable to show the sessions estatblished with the internet
csrcm> hosts when "netstat -na" is given. "netstat -na" shows only the tcp/udp
csrcm> services listening, but not the established connections with outside
csrcm> hosts. Reason is not known.
netstat shows connections from the host you run it on. However, for
the pf case (and I assume we are talking about NATted/routed
connections here) the gateway does not establish a connection, but
only forwards packets (with rewriting some headers in NAT case).
If you use (in contrast to NAT/route) a (transparent-)proxy the
gateway will establish connections itself and you will see them with
netstat.
If you use stateful filtering pf keeps it's own connection table
(called "states") which can be viewed by issuing $pfctl -vss
You might also want to take a look at pftop
(http://www.freshports.org/sysutils/pftop/) from the ports
(sysutils/pftop) which monitors states (and other useful pf related
information) in a top(1) like interface.
--
Best regards,
Max mailto:max at love2party.net
More information about the freebsd-pf
mailing list