Nerd blog.

09 Oct 2014

Firewall Log Stats

I run an OpenBSD system as a packet filter in front of my various virtual machines at my colo. I’ve got a default block drop in log all rule which drops and logs all un-handled traffic. I’ve been rotating the logs around, but not doing anything more than troubleshooting with the logs. I often watch the live pflog scroll by, investigating the occasional IP of interest.

This often involves doing a whois on the IP space, as well as a GeoIP lookup. This can be repetitive, and sometimes after a few hours worth of copy/paste/lookup/etc I feel like a robot. So I set out to gather some stats on my firewall logs. I googled for “openbsd pflog stats”, which gave me the OpenBSD PF FAQ on logging, and then an article about Monitoring PF which suggested using fwanalog. I tried fwanalog out, and was unhappy with the complexity, and the lack of output results. Things just seemed broken after sitting abandoned for so long.

I went back to my Google search, and on the 5th hit, found a nice Perl script, Pantz PFlog Stats, which had simple, but informative output. This script had also sat for a while, and hadn’t been updated in years, however it ran without error, and immediately produced a nice summary of blocked packets. The code was well documented, and the script was easily extensible. I’ve hacked on many Perl scripts before, I actually started code hacking on Perl.

I set out with a few goals in mind:

  • Update the script’s external links
    • web-based IP whois which supports all geographic regions (not just ARIN region)
  • Add GeoIP support, using the free DB from Maxmind.

I have accomplished both goals, and have put the result of my hacking up on Github, at

You can see some sample output generated at the time this blog was published here.

Theodore Baschak - Theo is a network engineer with experience operating core internet technologies like HTTP, HTTPS and DNS. He has extensive experience running service provider networks with OSPF, MPLS, and BGP.