On 5/16/07, Frans Haarman <[EMAIL PROTECTED]> wrote:
Hello,
I was wondering about using pf to monitor what is happening on our
network. The idea is to connect a pf machine to the management port on
the switch.
I am building some rules to monitor certain protocols for all IP
adresses connected to our network:
pass in proto tcp from src_ip to dest_server port=protocl label src_ip_protocol
pass in proto tcp from 10.10.1.1 to 10.200.1.1 port=80 label 10_10_1_1_HTTP
pass in proto tcp from 10.10.1.2 to 10.200.1.1 port=80 label 10_10_1_2_HTTP
pass in proto tcp from 10.10.1.3 to 10.200.1.1 port=80 label 10_10_1_3_HTTP
.....
I think I will end up with over 2000 rules. But maybe much more. Is
this something doable with pf or am I totally abusing the labeling
features ?
For me it seems like a quick way to get protocol statistics per
connected ip going towards our servers....... however I have no idea
if it will work with lots of traffic & ips!
Quick way, I wouldn't agree with. I wouldn't call it the right tool
for the job, whereas Argus (already mentioned) or other tools such as
Netflow seem are (IMHO) better suited.
See also:
http://www.mindrot.org/projects/flowd/
http://www.mindrot.org/projects/pfflowd/
http://www.mindrot.org/projects/softflowd/
DS
