Tables are the key. This is how I do it here:
On the internal interface, use a pass rule from a table listing all internal
ips to any, keep state.
table <internal> persist file "/etc/internal_ips"
....
pass in on $int_if from <internal> to ! $dmz_net keep state
....
/etc/internal_ips is just a list of addresses, one per line.
Run a cron job that parses the output from '/sbin/pfctl -t internal -vvTs' and
stick it into a rrd.
/usr/local/bin/rrdtool update ${RRD_Dir}/${IP}.rrd
${time}:${Bytes_In}:${Bytes_Out}
Graphing is easy then, just cron rrd to graph to png, and dump somewhere
accessable.
--
Craig
