Professional Web Applications Themes

OpenBSD's pf and traffic - FreeBSD

Hello! Does any body know, how can I use OpenBSD's pf (packet filter) for determine total traffic volume on network interface? If it's impossible, what facility you recommend me to do this? -- Sensory yours, Eugene Minkovskii Сенсорно ваш, Евгений Миньковский...

  1. #1

    Default OpenBSD's pf and traffic

    Hello!

    Does any body know, how can I use OpenBSD's pf (packet filter) for
    determine total traffic volume on network interface? If it's
    impossible, what facility you recommend me to do this?

    --
    Sensory yours, Eugene Minkovskii
    Сенсорно ваш, Евгений Миньковский
    Eugene Guest

  2. #2

    Default Re: OpenBSD's pf and traffic

    Eugene M. Minkovskii wrote:
     
    I don't realy know if it is impossible to use PF for monitoring the
    total traffic. But you can ( just as I do ) use MRTG ( Multi Router
    Traffic ) to keep track of the amount of data which you are using. It
    renders html-doents. By default MRTG only keeps track of the current
    bandwith-usage with a script which is known as 'mrtg-totals' you can
    also get graphs of the total amount of traffic.

    See www.mrtg.org and
    http://freebsd.munk.nu/archives/157-MRTG-Totals-Perl-Script.html

    Good Luck

    Frank Staals
    Frank Guest

  3. #3

    Default Re: OpenBSD's pf and traffic

    Eugene M. Minkovskii pМ╧e v ne 20. 03. 2005 v 12:31 +0300: 

    I don't know much about pf, but I use ipfw and /usr/ports/sysutils/ipa
    for the purpose. Works very well for me. IPFW itself has counters but
    ipa makes the stats persist across reboots and changes to the ruleset.
    Be carefull not to reconfigure ipfw from under running ipa - it will
    think the counters overflowed and add huge numbers to the last known
    value. Additionally ipa can do much more than just simple counters.

    I configure it like this:

    ipfw:
    100 add allow all from any to any in via xl0
    110 add allow all from any to any out via xl0

    ipa(/usr/local/etc/ipa.conf):
    rule xl0-in {
    ipfw = 100
    info = Incoming traffic for xl0
    }
    rule xl0-out {
    ipfw = 110
    info = Outgoing traffic for xl0
    }

    HTH

    Michal Mertl


    Michal Guest

  4. #4

    Default Re: OpenBSD's pf and traffic

    "Eugene M. Minkovskii" <ru> writes:
     

    Various pfctl -s options (eg pfctl -s info) give you counters of bytes
    and packets passed or blocked. If you use labels in your pass rules,
    you'll get per label counters as well.

    --
    Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

    Peter Guest

  5. #5

    Default Re: OpenBSD's pf and traffic

    On Sun, Mar 20, 2005 at 05:51:58PM +0100, Peter N. M. Hansteen wrote:
    " "Eugene M. Minkovskii" <ru> writes:
    "
    " > Does any body know, how can I use OpenBSD's pf (packet filter) for
    " > determine total traffic volume on network interface? If it's
    " > impossible, what facility you recommend me to do this?
    "
    " Various pfctl -s options (eg pfctl -s info) give you counters of bytes
    " and packets passed or blocked. If you use labels in your pass rules,
    " you'll get per label counters as well.
    "

    Thank you, Peter.

    So, now I can define rule like

    block in log on $ext_ip inet from any to $ext_ip label $ext_ip
    pass in on $ext_ip inet from any to $ext_ip port 22 keep sate

    As you can see, ssh packets match to all rule and pass in because
    last rule win. Does it mean, that I can't see ssh's packet using
    command
    # pfctl -sl

    And if I use

    block in log on $ext_ip inet from any to $ext_ip label $ext_ip
    pass in on $ext_ip inet from any to $ext_ip port 22 keep sate label $ext_ip

    .... I see label twice ?

    Perhaps you know where I can find workable example of this?

    --
    Sensory yours, Eugene Minkovskii
    Сенсорно ваш, Евгений Миньковский
    Eugene Guest

  6. #6

    Default Re: OpenBSD's pf and traffic

    "Eugene M. Minkovskii" <ru> writes:
     

    here you label the blocked packets but not the ones you pass, which
    means your ssh packets would count toward the packets passed counter only.
     

    No. But both rules would increment the $ext_ip counter, which means that
    your $ext_ip counter would be essentially packet totals. Last matching
    rule wins (with state instead of sate it would work), so each packet
    increments the relevant counters only once.
     

    Randal Schwartz has a nice article called "Monitoring Net Traffic with
    OpenBSD's Packet Filter" at http://www.samag.com/doents/s=9053/sam0403j/0403j.htm

    --
    Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

    Peter Guest

  7. #7

    Default Re: OpenBSD's pf and traffic

    On Mon, Mar 21, 2005 at 08:54:35AM +0100, Peter N. M. Hansteen wrote:
    " "Eugene M. Minkovskii" <ru> writes:
    "
    " > block in log on $ext_ip inet from any to $ext_ip label $ext_ip
    " > pass in on $ext_ip inet from any to $ext_ip port 22 keep sate
    " >
    " > As you can see, ssh packets match to all rule and pass in because
    " > last rule win. Does it mean, that I can't see ssh's packet using
    " > command
    " > # pfctl -sl
    "
    " here you label the blocked packets but not the ones you pass, which
    " means your ssh packets would count toward the packets passed counter only.
    "
    " > And if I use
    " >
    " > block in log on $ext_ip inet from any to $ext_ip label $ext_ip
    " > pass in on $ext_ip inet from any to $ext_ip port 22 keep sate label $ext_ip
    " >
    " > ... I see label twice ?
    "
    " No. But both rules would increment the $ext_ip counter, which means that
    " your $ext_ip counter would be essentially packet totals. Last matching
    " rule wins (with state instead of sate it would work), so each packet
    " increments the relevant counters only once.

    I was trying some experiments... It seems to me you are right in
    all except one: second line don't increase $ext_ip counter,
    but... add other counter with same name:

    # pfctl -sr | grep label
    block in log on $ext_if inet from any to $ext_if label $ext_if
    block in log quick on $ext_if inet from <crackers> to $ext_if label $ext_if
    pass in on $ext_if inet proto tcp from any to $ext_if port = ssh flags S/SA keep state label $ext_if
    pass in on $ext_if inet proto tcp from any to $ext_if port = smtp flags S/SA keep state label $ext_if
    pass in on $ext_if inet proto tcp from any to $ext_if port = auth flags S/SA keep state label $ext_if
    pass in on $ext_if inet proto tcp from any port = ftp-data to $ext_if user = 62 flags S/SA keep state label $ext_if


    # pfctl -vsl
    rl0 48703 10 936
    rl0 26095 0 0
    rl0 25845 776 81479
    rl0 29 25 2952
    rl0 29 0 0
    rl0 29 0 0


    But, of course, this output is "scriptable". (I can sum this
    numbers in pyhon or bc)


    " > Perhaps you know where I can find workable example of this?
    "
    " Randal Schwartz has a nice article called "Monitoring Net Traffic with
    " OpenBSD's Packet Filter" at http://www.samag.com/doents/s=9053/sam0403j/0403j.htm
    "

    Thanks


    --
    Sensory yours, Eugene Minkovskii
    Сенсорно ваш, Евгений Миньковский
    Eugene Guest

  8. #8

    Default Re: OpenBSD's pf and traffic

    Sorry, it's again I.

    So, I was trying to modify my OpenBSD pf brandmauer to collect me
    information about traffic. Now I has following rules:

    pass out on $ext_if proto tcp all modulate state flags S/SA
    pass out on $ext_if proto { udp, icmp } all keep state

    So, where could I put label to mark inbound traffic? This traffic
    goes into my machine because I use state table.

    --
    Sensory yours, Eugene Minkovskii
    Сенсорно ваш, Евгений Миньковский
    Eugene Guest

  9. #9

    Default Re: OpenBSD's pf and traffic

    "Eugene M. Minkovskii" <ru> writes:
     

    I'd say something along the lines of

    allowed_out = "{ ssh, domain, http, https, etc... }"

    pass out on $ext_if proto tcp $allowed_out label allowed-out keep state

    you could differentiate among source addresses, for example by
    specifying

    client1 = "{ 192.68.n.1, 192.168.n.2 }"
    client1 = "{ 192.68.n.3, 192.168.n.4 }"

    client2_inports = { whatever they need }

    pass out on $ext_if from $client1 to any proto tcp $allowed_out \
    label client1 keep state

    pass out on $ext_if from $client2 to any proto tcp $allowed_out \
    label client2-out keep state

    pass from any to $client2 $client2_inports label client2-in keep state

    and so on. Hope this helps.
    --
    Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

    Peter Guest

  10. #10

    Default Re: OpenBSD's pf and traffic

    On Tue, Mar 22, 2005 at 01:18:27PM +0100, Peter N. M. Hansteen wrote:
    " "Eugene M. Minkovskii" <ru> writes:
    "
    "
    " I'd say something along the lines of
    "
    " allowed_out = "{ ssh, domain, http, https, etc... }"
    "
    " pass out on $ext_if proto tcp $allowed_out label allowed-out keep state
    "
    " you could differentiate among source addresses, for example by
    " specifying
    "
    " client1 = "{ 192.68.n.1, 192.168.n.2 }"
    " client1 = "{ 192.68.n.3, 192.168.n.4 }"
    "
    " client2_inports = { whatever they need }
    "
    " pass out on $ext_if from $client1 to any proto tcp $allowed_out \
    " label client1 keep state
    "
    " pass out on $ext_if from $client2 to any proto tcp $allowed_out \
    " label client2-out keep state
    "
    " pass from any to $client2 $client2_inports label client2-in keep state
    "
    " and so on. Hope this helps.

    Just a moment, does it mean that your last rule allow any
    incoming connections from world to clients if thay matched by
    client2_inports, ANY, not only connections opened by clients?

    Moreover, I read in doentation, that state table reads BEFORE
    rules, and connections that opened by clients in first rule:

    pass out on $ext_if from $client1 to any proto tcp $allowed_out \
    label client2 keep state

    whill not marked by label client2-in because thay don't pass to
    this rule. Am I right?

    --
    Sensory yours, Eugene Minkovskii
    Сенсорно ваш, Евгений Миньковский
    Eugene Guest

  11. #11

    Default Re: OpenBSD's pf and traffic

    "Eugene M. Minkovskii" <ru> writes:
     

    That rule would let new connections from anywhere pass on the allowed
    ports to the clients. This might be useful mainly if your firewall is
    between the world and one or more servers, though.
     

    In a word, yes. The 'keep state' in these examples, would AFAIK mean
    that the counters would keep track of all traffic for a connection, so
    traffic initiated from the inside would match the pass out rule's
    counters, while connections opened from the outside would count on the
    pass in rules.

    --
    Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

    Peter Guest

  12. #12

    Default Re: OpenBSD's pf and traffic

    "
    " In a word, yes. The 'keep state' in these examples, would AFAIK mean
    " that the counters would keep track of all traffic for a connection, so
    " traffic initiated from the inside would match the pass out rule's
    " counters, while connections opened from the outside would count on the
    " pass in rules.
    "

    Unfortunely, this mean, that OpenBSD's pf can not measure
    traffic, because we can not separate incoming and outgoing
    traffic in bidirectional rule. Or we must not use keep state
    feature.

    --
    Sensory yours, Eugene Minkovskii
    Сенсорно ваш, Евгений Миньковский
    Eugene Guest

  13. #13

    Default Re: OpenBSD's pf and traffic

    "Eugene M. Minkovskii" <ru> writes:
     

    I think I understand what you mean - you do not want per connection
    statistics, you want packets passed by direction, regardless of which
    side initiated the traffic, subdivided by pass rule. At the moment I'm
    not sure how to put that into pf.conf rules, but you may want to go
    where the real pf experts hang out - cx - and see if
    there's an angle we haven't thought of.

    --
    Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

    Peter Guest

  14. #14

    Default Re: OpenBSD's pf and traffic

    On Tue, Mar 22, 2005 at 02:28:09PM +0100, Peter N. M. Hansteen wrote:
    " "Eugene M. Minkovskii" <ru> writes:
    "
    " > Unfortunely, this mean, that OpenBSD's pf can not measure
    " > traffic, because we can not separate incoming and outgoing
    " > traffic in bidirectional rule. Or we must not use keep state
    " > feature.
    "
    " I think I understand what you mean - you do not want per connection
    " statistics, you want packets passed by direction, regardless of which
    " side initiated the traffic, subdivided by pass rule. At the moment I'm
    " not sure how to put that into pf.conf rules, but you may want to go
    " where the real pf experts hang out - cx - and see if
    " there's an angle we haven't thought of.
    "

    Yes, now you understand me right. Sorry my bad english :).

    cx is it mail-list or private e-mail. Does I need
    to register anywhere before mail to it?

    --
    Sensory yours, Eugene Minkovskii
    Сенсорно ваш, Евгений Миньковский
    Eugene Guest

  15. #15

    Default Re: OpenBSD's pf and traffic

    Sure you can
    check out IP accountingit's a great tool for web
    hosters and such, and they have an pf module

    http://ipa-system.sourceforge.net/



    Jorge Mario Mazo

    __________________________________________________ _______
    Do You Yahoo!?
    InformaciСn de Estados Unidos y AmИrica Latina, en Yahoo! Noticias.
    VisМtanos en http://noticias.espanol.
    Jorge Guest

  16. #16

    Default Re: OpenBSD's pf and traffic

    "Eugene M. Minkovskii" <ru> writes:
     

    cx is a mailing list, which I think allows posting by
    non-subscribers, but obviously you may want to sign up to make sure you
    get any replies sent to the list only. Anyway the mailing list's home
    page is at http://www.benzedrine.cx/mailinglist.html

    (Sorry for the delay - bgnett's mail servers apparently were a bit
    overwhelmed some worm or other, leaving useful traffic queued rather
    longer than I appreciate.)

    --
    Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

    Peter Guest

Similar Threads

  1. Thread issues with ruby 1.8.0 on OpenBSD 3.3
    By Rick Nooner in forum Ruby
    Replies: 5
    Last Post: November 22nd, 05:36 PM
  2. Porting from OpenBSD/Linux to Solaris : daemon(3)
    By Steph in forum UNIX Programming
    Replies: 2
    Last Post: October 28th, 06:38 PM
  3. Replies: 1
    Last Post: October 22nd, 01:36 AM
  4. #22076 [Com]: PHP 4.3.0 crashes on OpenBSD 3.2 sparc64 when zlib is linked
    By php at gotontheinter dot net in forum PHP Development
    Replies: 0
    Last Post: July 21st, 06:24 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139