The fw tab command displays the contents of the INSPECT tables. These tables hold all state information on the firewall, including connections, VPNS, nats, etc.
The following options are commonly used:
-s provides a summary the tables
-t tname only displays the requested table
-x tname delete all entries in the specified table
-d debug mode
-all all tables
Entry format:
The fwx_alloc table uses the following formats.
First entry: < 0, hiding IP address, IP protocol, first high port used; next high port to be allocated>
The first field is a space holder and is always 0. The first high port to be used is always 10000.
COUNT_HOST records each packet that comes from the internal interface in a table until the limit is exceeded
The following options are commonly used:
-s provides a summary the tables
-t tname only displays the requested table
-x tname delete all entries in the specified table
-d debug mode
-all all tables
Useful tables:
host_table
This host_table holds the IP addresses of internal machines protected by the VPN-1/FireWall-1 NG Enforcement Module. The table only exists where the VPN-1/FireWall-1 license is limited. The maximum number of entries in this table is the licensed number of internal machines.arp_table
The arp_table holds the IP addresses for which the machine is willing to proxy ARP. Proxy ARP is sometimes required when using NAT. If IP addresses that the machine is to resolve are specified in local.arp , this table can be used to check that the IP addresses were correctly specified. The automatic ARP feature also uses this table to cause the machine to resolve translated IP addresses.Entry format:
1. IP address (name resolving may occur).
2. MAC address of gateway machine interface that will answer ARP requests for the IP address.
3. Interface name (optional).
4. Name of the gateway interface that will proxy ARP for IP addresses.
First entry: < 0, hiding IP address, IP protocol, first high port used; next high port to be allocated>
The first field is a space holder and is always 0. The first high port to be used is always 10000.
fwx_alloc
The fwx_alloc table holds information about the allocation of ports for the translated packets.fwx_cntl_dyn_tab
The fwx_cntl_dyn_tab table holds information about the allocated IP addresses from the IP Pool of the Enforcement Module, and the connections using the IP addresses.EXAMPLE
attributes: keep, expires never, limit 25000,
hashsize 512, free function 40550248 0
<0a010104,>
00000001, 00000e10, 000000c3>
fwx_auth
The fwx_auth table holds the original information of a folded connection, so that the Security Server will know the original destination IP and port of the connection.EXAMPLE
attributes: expires 300, limit 25000, refresh, keep
c7cb47e3, 00000017; 286/300>
sam_blocked_ips
All IP and network addresses that were stipulated in SAM requests, are shown in sam_blocked_ips , with a requests counter for each prototype of filter that is enforced over each certain IP and network address. Note the overshadowed requests are also accounted for, if present.EXAMPLE
-------- sam_blocked_ips --------dynamic, id 8141, attributes: keep, limit 25000, hashsize 512 <05050505;> 00000000, 00000000, 00000000>
host_ip_addrs
The host_ip_addrs table contains the list of IP addresses in the VPN-1/FireWall-1 NG Enforcement Module.fwx_ip_lookup_tab
The fwx_ip_lookup_tab table holds information used for IP Pool allocation queries.EXAMPLE
attributes: keep, limit 25000, hashsize 512fwz_crypt_pending
The fwz_crypt_pending table is used to record a possibly encrypted connection that should obtain their encryption/decryption key. This table is accessed from the VPN kernel, and the VPN daemon. The kernel can obtain a new key from this table stored by the daemon, which negotiated the key exchange with a trusted peer. This table also passes error messages. The fwz_crypt_pending table is dynamic.forbidden_tab
Each embedded VPN-1/FireWall-1 system has a feature that indicates how many hosts can be located 'behind' it. The number of hosts can be set to unlimited. This limitation is enforced in the Inspect code using the macro COUNT_HOST .COUNT_HOST records each packet that comes from the internal interface in a table until the limit is exceeded
IKE_SA_table
IKE SAs are stored in IKE_SA_table . The table entries have four possible formats:
· The top two formats are only used on SecuRemote.
· All non-expired SAs are stored using format 2.
· Format 1 is used to store and retrieve the latest IKE SA.
· Table entries are used to conduct IKE Quick Mode negotiation of IPSEC_SA .
· Entries are extracted from this table when the vpn daemon is trapped for IPSEC_SA renewal. IKE daemon tries to use previously negotiated IKE SA.
· The IKE_SA_table is dynamic.
ATTRIBUTES
expires | 3600 |
limit | 25000 |
sync | |
keep | |
hashsize | 512 |
kbuf | 1 |
KEYS
PeerAddress | ipaddr | IKE peer address. |
Me | ipaddr | on SecuRemote it is the IP address used by SecuRemote when it negotiated this IKE SA; field is used to prevent using an old IKE SA negotiated before SecuRemote obtained a new IP address; if initiator or responder |
CookieI | u_long [2] | initiator cookie (8 bytes). host byte order |
CookieR | u_long [2] | responder cookie (8 bytes). host byte order |
VALUES
IKE_SA | kbuf | A kbuf storing the fwisakmp_sa structure. |
Flags | uint | currently only 2 flags are defined: (PEER_MOBILE, INITIATOR); used so Enforcement Module does not need to retrieve the whole kbuf from the kernel if we only want to know if this SA was established with a mobile user |
RenegotiationTime | uint | renegotiation time of the SA |
EXAMPLE
-------- IKE_SA_table --------
dynamic, id 77, attributes: keep, sync, expires 3600,
limit 25000, hashsize 512, kbuf 1, free function
No comments:
Post a Comment