Hi:
For learning purposes I want to set up collecting NetFlow data from my small
office router (5.8 release on a PC-Engines Alix 2D13 device).
I'm trying to follow
http://bsdly.blogspot.ca/2014/02/yes-you-too-can-be-evil-network.html
and I have Peter N. M. Hansteen's fine Book of PF (3) at hand - chapter 9
"Collecting NetFlow Data with pflow(4)".
However I seem to have a hard time to understand some details.
I set up
/etc/pf.conf
# options:
set state-defaults pflow
and
/etc/hostname.pflow0
and get this:
# ifconfig pflow0
pflow0: flags=41<UP,RUNNING> mtu 1448
priority: 0
pflow: sender: 192.168.12.1 receiver: 192.168.12.31:9995 version: 10
groups: pflow
192.168.12 is my internal small network. I plan to set up a collector on
192.168.12.31, which is an OpenBSD-vm on my work station.
(Did I get this right? Or should I use the address which I get from my ISP as
a souce address?)
However
# tcpdump -nettti pflow0
tcpdump: Failed to open bpf device for pflow0: Device not configured
In /dev/ I got bpf0 up to bpf9
I did not set up a collector right now - just wanted to see if I get any
NetFlow data.
What did I miss setting up the pflow pseudo-device?
The Book of PF states:
"With at least one pflow device configured [1] and at least one rule in your
pf.conf that generates data for export via the pflow device [2], you’re
almost
finished setting up the sensor. You may still need to add a rule [3], however,
that allows the UDP data to flow from the IP address you specified as the flow
data source to the collector’s IP address and target port at the flow
destination."
[1] "one pflow device configured" did I understand correctly that this is done
by
/etc/hostname.pflow0
flowsrc 181.40.100.8 flowdst 192.168.12.31:9995
pflowproto 10
?
[2] "and at least one rule in your pf.conf that generates data for export via
the pflow device" does this mean that
set state-defaults pflow
in /etc/pf.conf
is enough or do I still need to add one pass rule with "keep state (pflow)"?
[3] "add a rule, however, that allows the UDP data to flow from the IP address
you specified as the flow data source to the collector’s IP address and
target
port at the flow destination"
I'm not quite getting this. Isn't it done if I allow UDP packets in general to
flow out of my internal interface into my network?
Thank you for your time.
Eike
pfctl -sr:
block return all
block return in quick on vr0 inet from <__automatic_ca3abafe_0> to any
block return out quick on vr0 inet from any to <__automatic_ca3abafe_1>
block return log (all, to pflog1) quick from <bruteforce> to any
block return log (all, to pflog1) quick from <blacklist> to any
pass inet proto tcp from any to 192.168.12.0/25 port = 53 flags S/SA keep
state
(source-track rule, max-src-con
n 60, max-src-conn-rate 10/10, overload <bruteforce> flush global, src.track
10)
pass inet proto tcp from any to 192.168.12.0/25 port = 123 flags S/SA keep
state (source-track rule, max-src-co
nn 60, max-src-conn-rate 10/10, overload <bruteforce> flush global, src.track
10)
pass inet proto tcp from any to 192.168.12.0/25 port = 113 flags S/SA keep
state (source-track rule, max-src-co
nn 60, max-src-conn-rate 10/10, overload <bruteforce> flush global, src.track
10)
pass inet proto tcp from any to 192.168.12.0/25 port = 2244 flags S/SA keep
state (source-track rule, max-src-c
onn 60, max-src-conn-rate 10/10, overload <bruteforce> flush global, src.track
10)
pass inet proto tcp from any to 192.168.12.0/25 port = 5198 flags S/SA keep
state (source-track rule, max-src-c
onn 60, max-src-conn-rate 10/10, overload <bruteforce> flush global, src.track
10)
pass inet proto tcp from any to 192.168.12.0/25 port = 5199 flags S/SA keep
state (source-track rule, max-src-c
onn 60, max-src-conn-rate 10/10, overload <bruteforce> flush global, src.track
10)
block return in on ! lo0 proto tcp from any to any port 6000:6010
anchor "ftp-proxy/*" all
pass in quick on vether0 inet proto tcp from any to any port = 21 flags S/SA
keep state (pflow) divert-to 127.0
.0.1 port 8021
pass out inet proto tcp from 127.0.0.1 to any port = 21 flags S/SA keep state
(pflow)
match in all scrub (no-df max-mss 1440)
match out on egress inet from ! (egress:network) to any nat-to (egress:0)
round-robin
block return in log all
pass out quick all flags S/SA keep state (pflow)
block drop in log quick on ! lo inet6 from ::1 to any
block drop in log quick on ! lo inet from 127.0.0.0/8 to any
block drop in log quick inet from 127.0.0.1 to any
block drop in log quick on ! vether0 inet from 192.168.12.0/25 to any
block drop in log quick inet from 192.168.12.1 to any
block drop in log quick on lo0 inet6 from fe80::1 to any
block drop in log quick inet6 from ::1 to any
pass in log on egress inet proto tcp from any to (egress) port = 53 flags S/SA
keep state (pflow)
pass in log on egress inet proto tcp from any to (egress) port = 123 flags
S/SA
keep state (pflow)
pass in log on egress inet proto tcp from any to (egress) port = 113 flags
S/SA
keep state (pflow)
pass in log on egress inet proto tcp from any to (egress) port = 2244 flags
S/SA keep state (pflow)
pass in log on egress inet proto tcp from any to (egress) port = 5198 flags
S/SA keep state (pflow)
pass in log on egress inet proto tcp from any to (egress) port = 5199 flags
S/SA keep state (pflow)
pass in log on vether0 inet proto tcp from 192.168.12.0/25 to 181.40.100.8
port = 80 flags S/SA keep state (pfl
ow) rdr-to 192.168.12.11
pass in log on vether0 inet proto tcp from 192.168.12.0/25 to 181.40.100.8
port = 443 flags S/SA keep state (pf
low) rdr-to 192.168.12.11
match out log on vether0 inet proto tcp from 192.168.12.0/25 to 192.168.12.11
port = 80 nat-to 192.168.12.1
match out log on vether0 inet proto tcp from 192.168.12.0/25 to 192.168.12.11
port = 443 nat-to 192.168.12.1
pass on vether0 inet proto tcp from any to 192.168.12.11 port = 80 flags S/SA
keep state (pflow)
pass on vether0 inet proto tcp from any to 192.168.12.11 port = 443 flags S/SA
keep state (pflow)
pass in log on egress inet proto tcp from any to (egress) port 5198:5199 flags
S/SA synproxy state rdr-to 192.1
68.12.21
pass in log on egress inet proto udp from any to (egress) port 5198:5199 rdr-
to 192.168.12.21
pass out on egress inet proto udp from any to any port 33433 >< 33626 keep
state (pflow)
pass in inet proto icmp all icmp-type echoreq keep state (pflow)
pass in inet proto icmp all icmp-type unreach keep state (pflow)
pass in on vether0 all flags S/SA keep state (pflow)
Dmesg:
OpenBSD 5.8 (GENERIC) #1066: Sun Aug 16 02:33:00 MDT 2015
[email protected]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 499
MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem = 267931648 (255MB)
avail mem = 250261504 (238MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 11/05/08, BIOS32 rev. 0 @ 0xfd088
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe0000/0xa800
cpu0 at mainbus0: (uniprocessor)
mtrr: K6-family MTRR support (2 registers)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address
00:0d:b9:2d:cf:20
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address
00:0d:b9:2d:cf:21
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15, address
00:0d:b9:2d:cf:22
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
athn0 at pci0 dev 12 function 0 "Atheros AR9280" rev 0x01: irq 9
athn0: AR9280 rev 2 (2T2R), ROM rev 22, address 04:f0:21:06:22:c4
glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
3579545Hz timer, watchdog, gpio, i2c
gpio0 at glxpcib0: 32 pins
iic0 at glxpcib0
maxtmp0 at iic0 addr 0x4c: lm86
pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 w
ired to compatibility
wd0 at pciide0 channel 0 drive 0: <SanDisk SDCFHSNJC-008G>
wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors
wd1 at pciide0 channel 0 drive 1: <IC25N040ATCS05-0>
wd1: 16-sector PIO, LBA, 38154MB, 78140160 sectors
wd1 at pciide0 channel 0 drive 1: <IC25N040ATCS05-0>
wd1: 16-sector PIO, LBA, 38154MB, 78140160 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12, version
1.0, legacy support
ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
nvram: invalid checksum
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a (6dbba8d48e10016f.a) swap on wd0b dump on wd0b
clock: unknown CMOS layout
--
Eike Lantzsch ZP6CGE
