This problems are frequently asked.There is simple solution, which is
not in PF itself.Use PF to do what he do best, to block and pass what
you want.
Visit http://www.mindrot.org/projects.html
Project pfflowd,flowd,softflowd are what is looking for.Capture traffic
with pfflowd or softslowd and sent it to flowd which filter and store
data.Use scripts in flowd project and store information in mSQL
database.Once you have everything in SQL you are done.
I use this with cacti.
Please contact me if someone want all scripts.
Cheers
Tihomir
--- Sven Ingebrigt Ulland <[EMAIL PROTECTED]> wrote:
> Keywords: openbsd 3.8, pf, accounting, per-protocol, per-ip, bridging
>
> I am in a bit of a mess trying to get this setup to work. The
> topology
> is as follows:
>
>
> Host Martin -\ >
> 217.218.45.80 \ "local zone" < "internet zone"
> \ >
> \ <
> Host Sven -------[switch]---------[openbsd bridge]---- internet
> 217.218.44.209 / / \
> / sis1 sis0
> / 217.218.44.85
> Host Janne --/
> 217.218.44.208
>
>
> All IPs are public and working. I use bridging since I have only very
> few IPs available (and they are not in a continuous range, as you can
> see). The setup works very nicely and all, but when I want to do
> accounting, things aren't as easy as I expected.
>
> What I want to do is:
> - Accurately account for packets and bytes per client in and out
> between the local and internet zone, i.e. don't do accounting when
> SSH-ing from host Sven to the OpenBSD bridge for maintenance, etc.
>
> - Preferably account for each protocol (TCP, UDP, ICMP) per client.
> This is not a must, however.
>
> - Keep the firewalling capabilities intact.
>
> Now, if I understand correctly, with the mechanism of pf evaluating
> only the last matching rule, this presents some problems when it
> comes
> to accounting.
>
> This is the current ruleset:
>
> # ---- pf.conf begins ----
> ext_if="sis0"
> int_if="sis1"
>
> host_martin="217.218.45.80"
> host_sven="217.218.44.209"
> host_janne="217.218.44.208"
>
> block in on $ext_if
> pass out on $ext_if
> pass in on $int_if
> pass out on $int_if
>
> pass in on $ext_if proto tcp to $host_janne port { 22 25 80 443 }
> keep state
> pass in on $ext_if proto { tcp udp } to $host_sven port { 5500 } keep
> state
> pass in on $ext_if proto { tcp udp } to $host_martin port 80 keep
> state
> # ---- pf.conf ends ----
>
> To do accounting, I was thinking that I simply could add some labels
> to the rules and use pfctl -sl to fetch the counters. But because of
> the statefullness and the fact that only the last matching rule is
> evaluated, I fail to understand how to do it properly.
>
> For example, for client Sven, something along the lines of:
>
> pass out on $ext_if from $host_sven label "OUT-SVEN" keep state
> pass out on $ext_if proto tcp from $host_sven to any label
> "OUT-TCP-SVEN" keep state
> pass out on $ext_if proto udp from $host_sven to any label
> "OUT-UDP-SVEN" keep state
> pass out on $ext_if proto icmp from $host_sven to any label
> "OUT-ICMP-SVEN" keep state
>
> would (after pinging a host with 8 pings, which also includes a DNS
> lookup) give the following output from pfctl -sl:
>
> OUT-SVEN 22 0 0 0 0 0 0
> OUT-TCP-SVEN 3 0 0 0 0 0 0
> OUT-UDP-SVEN 3 2 166 1 109 1 57
> OUT-ICMP-SVEN 3 16 960 8 480 8 480
>
> This highlights a feature of 'last match wins', the OUT-SVEN label
> counters have not increased (only the evaluation counter, of course).
>
> What I could do is to label each rule and then calculate totals by
> summing each in/out counter, but with several firewall rules and
> per-port filtering, this would result in a terrible cludge.
>
> Do you have any idea of how this could be done differently?
>
> One idea I had was to introduce another action in the filtering
> section of pf.conf, a "dupe" or "eval" action that would evaluate the
> rule (exactly like 'pass quick') but also send the packet traversing
> the rest of the ruleset (like normal 'pass'). Together with labels,
> this would make it very easy to do accounting, e.g.
>
> eval out on $ext_if from $host_sven label "OUT-SVEN"
> eval out on $ext_if proto tcp from $host_sven to any "OUT-TCP-SVEN"
> eval out on $ext_if proto udp from $host_sven to any "OUT-UDP-SVEN"
> eval out on $ext_if proto icmp from $host_sven to any "OUT-ICMP-SVEN"
>
> As far as I understand, this is how the Linux netfilter + ipac-ng
> does
> evaluation, and I'm currently considering converting to that (though
> I
> don't want to).
>
> regards,
> sven
>
www.BetStrikes.com - futbolni prognozi Ôóòáîëíè ïðîãíîçè
