Hi, I'm trying to understand and measure traffic on relatively large and complicated pf firewall, and for this purpose I am exporting netflow data with pflow to nfsen/nfdump.
For the time being, I have set pflow on external interface in outbound direction: pass out on $if_ext inet all keep state (pflow) On collector (nfsen), I want to see interface numbers so i can create interface filter: % nfdump -R 2014 -s if/bytes Top 10 In/Out If ordered by bytes: If Flows(%) Packets(%) Bytes(%) pps bps bpp 5 19396(100.0) 300683(100.0) 186.7 M(100.0) 3 16984 620 7 19109(98.5) 299769(99.7) 186.6 M(100.0) 3 16976 622 0 287( 1.5) 914( 0.3) 83170( 0.0) 0 330 90 Another mailing list member told me I can find about interface numbers with snmpwalk: % snmpwalk -v2c -c community -On IP.ADD.RE.SS .1.3.6.1.2.1.2.2.1.2.5 = STRING: bnx1 .1.3.6.1.2.1.2.2.1.2.7 = STRING: carp2 Ok, now I know interface 5 is bnx1 ($if_ext), and I want to know what comes in: % nfdump -R 2014 -s dstip/bytes 'in if 5' Top 10 Dst IP Addr ordered by bytes: Dst IP Addr Flows(%) Packets(%) Bytes(%) 10.20.0.15 10754(62.9) 323834(52.9) 324.9 M(63.7) 10.20.4.99 462( 2.7) 10496( 1.7) 9.4 M( 1.8) 178.148.77.73 4( 0.0) 6681( 1.1) 7.7 M( 1.5) First two addresses really are on my internal network, and I know first one is return web traffic to my proxy, and the second one return web traffic to another internal host. But the last address is not on my network. Let's see records for this address: nfdump -R 2014 -n 100000 -s record/bytes 'in if 5' | grep 178.148.77.73 TCP 193.53.106.35:443 -> 178.148.77.73:49193 5606 7.6 M TCP 193.53.106.35:443 -> 178.148.77.73:49191 313 95342 TCP 193.53.106.35:443 -> 178.148.77.73:49192 404 18674 TCP 193.53.106.35:443 -> 178.148.77.73:49190 358 16798 Ok, these are redirected incoming requests to HTTPS server on my internal network: pass in on $if_ext inet proto tcp from any to $pub_web port { 80 443 } \ rdr-to $priv_web keep state But source and destination IP adresses are reversed! Here's what pf's state table shows: $ sudo pfctl -ss | grep 178.148.77.73 all tcp 10.20.0.36:443 (193.53.106.35:443) <- 178.148.77.73:49377 all tcp 178.148.77.73:49377 -> 10.20.0.36:443 all tcp 10.20.0.36:443 (193.53.106.35:443) <- 178.148.77.73:49378 all tcp 178.148.77.73:49378 -> 10.20.0.36:443 all tcp 10.20.0.36:443 (193.53.106.35:443) <- 178.148.77.73:49379 all tcp 178.148.77.73:49379 -> 10.20.0.36:443 all tcp 10.20.0.36:443 (193.53.106.35:443) <- 178.148.77.73:49380 all tcp 178.148.77.73:49380 -> 10.20.0.36:443 How could this be corrected? Am I configuring pf incorrectly? Or is there a problem with how pflow exports data? Or is pfdump parsing the data incorrectly? Thank you in advance, -- Marko Cupać