On Tue, Oct 28, 2003 at 12:28:22PM -0800, Derrick MacPherson wrote:
> I've asked this before, a while back, but since I am upgrading to 3.4 from
> 3.2 next week, I will ask again, see what sort of suggestions I can get..
There's only two kinds of counters kept by pf that might be of use.
a) Per rule counters. Add pass rules for each DMZ machine, making sure
all connections from/to those machines last match these rules. Then
use pfctl -vvsr to get the counters, like
@57 pass out on kue0 inet from 62.65.145.30 to any keep state
[ Evaluations: 6643 Packets: 16240 Bytes: 2988704 ]
With 'keep state', these count both incoming and outgoing packets
of outgoing connections together, you could use stateless rules
if you want to keep the directions apart. If you add different
rules for individual protocols, you get per-protocol counters.
b) Table counters. Add a rule like
pass on fxp0 from any to <dmz_machines> keep state
and add the DMZ machine addresses to table dmz_machines. The use
pfctl -t dmz_machines -vvTs to get the per-address counters, like
192.0.100.10
Cleared: Tue Oct 28 19:00:29 2003
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
If neither of those two fits your needs, you'll need to find other tools
to do the accounting, like http://www.mindrot.org/pfflowd.html.
Daniel
