PF How to understand 'denied packets' (by pf) in daily security run output

G

gdweber

I don't understand the numbers in reports like this, which I regularly receive from the daily security run:

gdweber.org pf denied packets:
+block drop in log (all) all [ Evaluations: 124538 Packets: 15317
Bytes: 792984 States: 0 ]

Why is the number of evaluations different from, and always greater than, the number of packets? Isn't each packet evaluated? Is 792,984 the number of bytes in the 15,317 packets, or is it the number of bytes in the 124,538 evaluations?

I understand that this report is about the action of the rule

block in log(all) all

which is in /etc/pf.conf. This rule blocks and logs all incoming packets by default; subsequent rules allow some incoming packets to pass.

I'm running FreeBSD 14.3-RELEASE-p7:

FreeBSD gdweber.org 14.3-RELEASE-p7 FreeBSD 14.3-RELEASE-p7 GENERIC amd64
root@gdweber:/etc # freebsd-version
14.3-RELEASE-p7
root@gdweber:/etc # uname -a

I have read Daily security mail reports pf denied packets: how to inspect them? but did not find it relevant to my question.
 
evaluations counts the number of times the rule evaluator encountered that rule.

packets and bytes counts the number of packets/bytes that the rule *actually matches*

so if you have (simplified)
Code: 
block all
pass in to port 80
all of the blocked packets will count as an evaluation and packet on the first rule, and all port 80 traffic will count as evaluations on both the first and second rules, but will only count packets for port 80 traffic.
 
atax1a said:
evaluations counts the number of times the rule evaluator encountered that rule.

packets and bytes counts the number of packets/bytes that the rule *actually matches*

so if you have (simplified)
Code: 
block all
pass in to port 80
all of the blocked packets will count as an evaluation and packet on the first rule, and all port 80 traffic will count as evaluations on both the first and second rules, but will only count packets for port 80 traffic.
Click to expand...
Thanks, but I still don't understand clearly.

What does it mean for the rule evaluator to "encounter" that rule? Why is that something I should care about from a security perspective?

Could it be that you are trying to tell me something like this: 'evaluations' is the number of times a packet matches the conditions of the rule (in my example, it is an incoming packet; in yours, it is any packet), and 'packets' is the number of times the rule actually fires (performs the action: block)?

Or does the rule evaluator "encounter" each rule for every packet going in or out, and then 'evaluations' would be simply the total number of packets in both directions?
 
pf is a last-match evaluator, unless you use the quick keyword — evaluations aren't a security metric, they're a performance metric.
gdweber said:
Could it be that you are trying to tell me something like this: 'evaluations' is the number of times a packet matches the conditions of the rule (in my example, it is an incoming packet; in yours, it is any packet), and 'packets' is the number of times the rule actually fires (performs the action: block)?
Click to expand...
close. what we understand these to mean is that evaluations indicate that a packet was checked by that rule, whether or not the conditions match, but packets/bytes count the number of packets that the action has fired on.
 
You must log in or register to reply here.
Back
Top