Monitoring ipfw dynamic rules with Cacti & net-snmp

June 20th, 2005

You'll need a fairly recent install of net-snmp for this, as it uses the 'extend' MIB.

In snmpd.conf: 

# so we can track dynamic-rule count
extend fw-dyn-rules /usr/local/bin/snmp-fw-dynrules
And that script is simply: 
#!/bin/sh
sysctl -n net.inet.ip.fw.dyn_count
sysctl -n net.inet.ip.fw.dyn_max
Which you can then monitor with the following MIBs:
Current rules:
.1.3.6.1.4.1.8072.1.3.2.4.1.2.12.102.119.45.100.121.110.45.114.117.108.101.115.1
Maximum rules:
.1.3.6.1.4.1.8072.1.3.2.4.1.2.12.102.119.45.100.121.110.45.114.117.108.101.115.2
It's not much, but it was useful in fault-finding a problem with our ipfw firewall, where it seemed to be running out of dynamic rule slots.

Here's an export from our cacti install, which should include all of that.

Copyright 1994-2005, by Howard Jones. howie@thingy.com