Re: PF NAT statistic per month per IP

Wed, 16 Apr 2014 03:28:04 -0700 

On 16.04.2014 12:20, lilit-aibolit wrote:
> On 04/15/2014 09:51 PM, Stefan Sieg wrote:
> >Hello,
> >
> >with the already mentioned netflow solution you will not see connections
> >that are not expired. So you will not see "long live" connections like vpn 
> >or ssh
> >in your statistics at the appointed date.
> >
> >Maybe pf labels is for you ...
> >
> >lan = "{ 192.168.5.1, 192.168.5.2, .... }"
> >match out on $ext_if inet proto tcp to any received-on $int_if nat-to $ext_if
> >pass in on $int_if inet proto tcp from $lan to any label "$srcaddr" \
> >     tag LAN-INET
> >
> >pass out on $ext_if tagged LAN-INET
> >
> >
> >With "pfctl -s labels" will get this (the numbers are explained in the 
> >manpage)
> >
> >192.168.5.1 57 0 0 0 0 0 0 0
> >192.168.5.2 37 0 0 0 0 0 0 0
> >....
> >....
> >192.168.5.37 37 1950 1318232 1094 1215437 856 102795 37
> >....
> >
> >
> >"pfctl -z" clears the per rule statistics
> >
> >
> >Greetings
> >
> >Stefan
> >
> >
> >
> Thanks for sharing this simple example.
> Is it true, that I need to use list/macros
> (and define all IPs from my /24 LAN there) in _from_ statement?
> Because when I use tables:
> 
> table <admin>  { 192.168.5.1, 192.168.5.20 }
> table <lan>       { 192.168.5.0/24 }
> pass in on $int_if inet from <admin> to any label "$srcaddr" queue (manager,
> ack)
> pass in on $int_if inet proto tcp from <lan> to any port $portstuff label
> "$srcaddr" queue (bulk, ack)
> 
> I got:
> 
> # pfctl -s labels
> <admin> 3055 97 5125 49 2437 48 2688 17
> <lan> 1315 0 0 0 0 0 0 0
> <lan> 1315 0 0 0 0 0 0 0
> <lan> 1315 0 0 0 0 0 0 0
> <lan> 1315 3 152 3 152 0 0 1
> <lan> 1315 0 0 0 0 0 0 0
> <lan> 1315 0 0 0 0 0 0 0
> <lan> 1315 0 0 0 0 0 0 0
> <lan> 1315 74292 60498330 28705 5930177 45587 54568153 595
> <lan> 1315 14227 3446348 7315 919595 6912 2526753 371
> <lan> 1315 0 0 0 0 0 0 0
> <lan> 1315 0 0 0 0 0 0 0
> <lan> 1315 0 0 0 0 0 0 0
> 

With the rule

pass in on $int_if inet proto tcp from <lan> to any port $portstuff label 
"$srcaddr" queue (bulk, ack)

you will get per port statistics for the table <lan>, you can see that 
if you add ":$dstport" to the label, or use pfctl -sr.

... yes you need macros and another rule for the ports like that:

pass in on $int_if inet proto tcp from $lan to any label "$srcaddr" \
        tag LAN-INET
pass out on $ext_if inet proto tcp to port $portstuff tagged LAN-INET 


Stefan

Reply via email to