Forwarding Mike's reply to the list - as I seem to have
responded in private to a public discussion. Here follows:
-------- Исходное сообщение --------
Тема: Re: Can IP addresses be partially wildcarded w/ `ipfstat -t'?
Дата: Sat, 27 Aug 2011 13:55:52 -0400 (EDT)
От: Michael T. Davis <[email protected]>
Кому: [email protected]
At 10:41:03.02 on 27-AUG-2011 in message<[email protected]>, you wrote:
Lame reply (since I don't know about this feature in IPF): you can pipe
the output to "egrep", "awk" or "perl -e" -- in order to match the IPs to
a certain regexp string. Not very simple or elegant, but solves your
problem =)
Also this way you can more easily match IP ranges which are not
CIDR subnets.
I'm fairly sure this won't work, since the output from `ipfstat -t'
is presented in the same way as `top'. That is, it is designed for dynamic
application-driven screen updating. As a trivial test, I tried this...
ipfstat -t -P tcp -D any,22|awk '$2 != "<firewall-ip>,22"'
...but all I could see on the screen was the heading from the `ipfstat -t'
display:
[begin display]
<hostname> - IP Filter: v4.1.29 - state top
13:44:45
Src: 0.0.0.0, Dest: 0.0.0.0,22, Proto: tcp, Sorted by: # bytes
[end display]
On a related note, another option came to mind. It would be
particularly useful to exclude a given host (or network range specified by
CIDR or addr/mask). If we take the above pipeline as an example, this might
be expressed (assuming `ipfstat -t' supported it and the IP address of the
firewall was 192.168.0.1) as...
ipfstat -t -P tcp -D !192.168.0.1,22
The scope of "!" would be limited to only the IP address or port number, so
that the output would be to any destination on TCP port 22 except 192.168.0.1.
Alternatively, if you wanted to look at all traffic destined for the firewall
except SSH...
ipfstat -t -P tcp -D 192.168.0.1,!22
(The syntax "!any" [and equivalents] for address or port number would be
disallowed.)
Regards,
Mike
