Monitoring ipfw dynamic rules with Cacti & net-snmp

June 20th, 2005

You'll need a fairly recent install of net-snmp for this, as it uses the 'extend' MIB.

In snmpd.conf:

# so we can track dynamic-rule count
extend fw-dyn-rules /usr/local/bin/snmp-fw-dynrules
And that script is simply:
sysctl -n net.inet.ip.fw.dyn_count
sysctl -n net.inet.ip.fw.dyn_max
Which you can then monitor with the following MIBs:
Current rules:
Maximum rules:
It's not much, but it was useful in fault-finding a problem with our ipfw firewall, where it seemed to be running out of dynamic rule slots.

Here's an export from our cacti install, which should include all of that.

