Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
OPNsense and firewall inspect... how to avoid the counters to be zeroed?
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNsense and firewall inspect... how to avoid the counters to be zeroed? (Read 1389 times)
fabianodelg
Newbie
Posts: 37
Karma: 6
OPNsense and firewall inspect... how to avoid the counters to be zeroed?
«
on:
August 04, 2022, 09:33:18 am »
Hi everyone,
there's quite few posts in regard the INSPECT function (which allow to see when a firewall rule has been executed as well as how many bytes that specific rule is 'consuming' from your network).
What's not clear to me is that the counters are zeroed (I believe every 24h) by some process (cron?) while I'd like that the counters are NOT zeroed.
I've read that this is due to the scheduler being active (as there may be some firewall rules scheduled for the execution) but that's not my case, I have nothing in the scheduler section (and of course no scheduled firewall rules)
In the crontab for the user root I can see these jobs:
#minute hour mday month wday command
1 * * * * (/usr/local/sbin/configctl -d syslog archive) > /dev/null
2 * * * * (/usr/local/sbin/expiretable -v -t 3600 sshlockout) > /dev/null
3 * * * * (/usr/local/sbin/expiretable -v -t 3600 virusprot) > /dev/null
4 * * * * (/usr/local/etc/rc.expireaccounts) > /dev/null
*/4 * * * * (/usr/local/sbin/ping_hosts.sh) > /dev/null
0 22 * * * (/usr/local/sbin/configctl -d firmware changelog cron) > /dev/null
0 1 * * * (/usr/local/sbin/configctl -d system remote backup) > /dev/null
1 3 1 * * (/usr/local/sbin/configctl -d filter schedule bogons) > /dev/null
* * * * * (/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables.lock /usr/local/opnsense/scripts/filter/update_tables.py) > /dev/null
while for the user nobody (which I believe is used by the UI):
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
#
# User-defined crontab files can be loaded via /etc/cron.d
# or /usr/local/etc/cron.d and follow the same format as
# /etc/crontab, see the crontab(5) manual page.
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#minute hour mday month wday command
(this confirms that I have no schedule configured).
Can any of the jobs scheduled for the user 'root' be the cause of the counters being zeroed on a regular basis?
If not what other area should I look for?
Thanks in advance for any answer and help on this matter!
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: OPNsense and firewall inspect... how to avoid the counters to be zeroed?
«
Reply #1 on:
August 04, 2022, 10:31:54 am »
Counters have to be cleared when new rules are loaded. This can happen for a number of reasons and there isn't a practical way to prevent it or to keep these numbers in the kernel.
Cheers,
Franco
Logged
fabianodelg
Newbie
Posts: 37
Karma: 6
Re: OPNsense and firewall inspect... how to avoid the counters to be zeroed?
«
Reply #2 on:
August 04, 2022, 10:58:37 am »
Thanks Franco for your answer; what I don't understand is... I'm not adding any new rules (nor modifying any rules); why the counters are zeroed?
I get it that there are 'many other reason' but just for the sake of making my day today (and I'm going to make a donation to the project!)... could you please explain why and what is the process that zero the counters?
Thanks,
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: OPNsense and firewall inspect... how to avoid the counters to be zeroed?
«
Reply #3 on:
August 04, 2022, 11:11:52 am »
For one VPNs and WAN interfaces reload filters on reconnects... most probable cause would be new DHCP lease overnight?
Cheers,
Franco
Logged
fabianodelg
Newbie
Posts: 37
Karma: 6
Re: OPNsense and firewall inspect... how to avoid the counters to be zeroed?
«
Reply #4 on:
August 04, 2022, 12:46:18 pm »
Thanks Franco, I'll check that; I will also try to change the lease time for the WAN interface to 30 days and see what happen...
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
OPNsense and firewall inspect... how to avoid the counters to be zeroed?