Re: OpenBSD 4.5: pfctl -s info fails to give me the right interface statistics
patrick keshishian escribis: On Fri, Oct 2, 2009 at 8:21 PM, Alvaro Mantilla Gimenez alv...@dydnetworks.com wrote: Hi, I found a wear behavior of pfctl. I have this pf.conf (I am going to show only the lines that matters): - external = cdce0 internal = re0 set loginterface $external set loginterface $internal - According to this both interfaces are collecting statistics...but if I run the command pfctl -s info then shows: I don't think that is true. I believe you can only 'set loginterface' for only one interface or interface-group: $ man pf.conf /loginterface set loginterface Enable collection of packet and byte count statistics for the given interface or interface group. $ man ifconfig /group group group-name Assign the interface to a ``group''. Any interface can be in multiple groups. might be what you are looking for. Are the interfaces re0 and cdce0 in the same group?? There is no groups on re0 definition... $ ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33204 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:a0:d1:5e:a0:63 description: RED_INTERNA priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 7.7.7.1 netmask 0xff80 broadcast 7.7.7.127 inet6 fe80::2a0:d1ff:fe5e:a063%re0 prefixlen 64 scopeid 0x1 wpi0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:de:a6:e7:64 priority: 0 groups: wlan media: IEEE802.11 autoselect status: no network ieee80211: nwid enc0: flags=0 mtu 1536 priority: 0 cdce0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 2a:cb:02:bf:5d:00 description: CABLE_MODEM priority: 0 groups: egress inet6 fe80::28cb:2ff:febf:5d00%cdce0 prefixlen 64 scopeid 0x5 inet 190.XXX.XX.XXX netmask 0xff00 broadcast 255.255.255.255 pflog0: flags=141UP,RUNNING,PROMISC mtu 33204 priority: 0 groups: pflog After that I commented the line #set loginterface $internal and then the output was this: Reverse the order of 'set loginterface ...' in your pf.conf and try `pfctl -si'. Does that reverse your findings? --patrick set loginterface $internal set loginterface $external # pfctl -si Status: Enabled for 0 days 02:07:42 Debug: Urgent Interface Stats for cdce0 IPv4 IPv6 Bytes In228341460 Bytes Out1370195 64 Packets In Passed 192760 Blocked4120 Packets Out Passed 145121 Blocked1610 State Table Total Rate current entries 31 searches 734869.6/s inserts 22230.3/s removals21920.3/s Counters match 24360.3/s bad-offset 00.0/s fragment 00.0/s short 00.0/s normalize 00.0/s memory 00.0/s bad-timestamp 00.0/s congestion 00.0/s ip-option 00.0/s proto-cksum00.0/s state-mismatch 00.0/s state-insert 00.0/s state-limit00.0/s src-limit 20.0/s synproxy 4740.1/s Same thing Alvaro
Re: OpenBSD 4.5: pfctl -s info fails to give me the right interface statistics
On Fri, Oct 2, 2009 at 10:43 PM, Alvaro Mantilla Gimenez alv...@dydnetworks.com wrote: patrick keshishian escribis: On Fri, Oct 2, 2009 at 8:21 PM, Alvaro Mantilla Gimenez alv...@dydnetworks.com wrote: Hi, I found a wear behavior of pfctl. I have this pf.conf (I am going to show only the lines that matters): - external = cdce0 internal = re0 set loginterface $external set loginterface $internal - According to this both interfaces are collecting statistics...but if I run the command pfctl -s info then shows: I don't think that is true. I believe you can only 'set loginterface' for only one interface or interface-group: $ man pf.conf /loginterface set loginterface Enable collection of packet and byte count statistics for the given interface or interface group. $ man ifconfig /group group group-name Assign the interface to a ``group''. Any interface can be in multiple groups. might be what you are looking for. Are the interfaces re0 and cdce0 in the same group?? There is no groups on re0 definition... It does not look like it based on your provided output below: $ ifconfig -a lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33204 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:a0:d1:5e:a0:63 description: RED_INTERNA priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 7.7.7.1 netmask 0xff80 broadcast 7.7.7.127 inet6 fe80::2a0:d1ff:fe5e:a063%re0 prefixlen 64 scopeid 0x1 wpi0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:18:de:a6:e7:64 priority: 0 groups: wlan media: IEEE802.11 autoselect status: no network ieee80211: nwid enc0: flags=0 mtu 1536 priority: 0 cdce0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 2a:cb:02:bf:5d:00 description: CABLE_MODEM priority: 0 groups: egress inet6 fe80::28cb:2ff:febf:5d00%cdce0 prefixlen 64 scopeid 0x5 inet 190.XXX.XX.XXX netmask 0xff00 broadcast 255.255.255.255 pflog0: flags=141UP,RUNNING,PROMISC mtu 33204 priority: 0 groups: pflog After that I commented the line #set loginterface $internal and then the output was this: Reverse the order of 'set loginterface ...' in your pf.conf and try `pfctl -si'. Does that reverse your findings? --patrick set loginterface $internal set loginterface $external # pfctl -si Status: Enabled for 0 days 02:07:42 Debug: Urgent Interface Stats for cdce0 IPv4 IPv6 [...] Same thing Not the same thing. The reverse; which indicates that only the last `set loginterface $if' is used; that is, you may not specify multiple `set loginterface $if' options. Try, adding your re0 and cdce0 to a single user defined group and use that group in your pf.conf for `set loginterface $thegroup'. But I suspect, this may not be what you are looking for. $ sudo ifconfig re0 group alvaro $ sudo ifconfig cdce0 group alvaro $ ifconfig to verify group names, then change your /etc/pf.conf to include: set loginterface alvaro reload rules: $ sudo pfctl -f /etc/pf.conf $ sudo pfctl -si That should give you stats for all interfaces belonging to the group alvaro. But, once again, this may not be what you want. --patrick
Re: OpenBSD 4.5: pfctl -s info fails to give me the right interface statistics
patrick keshishian escribis: Not the same thing. The reverse; which indicates that only the last `set loginterface $if' is used; that is, you may not specify multiple `set loginterface $if' options. Try, adding your re0 and cdce0 to a single user defined group and use that group in your pf.conf for `set loginterface $thegroup'. But I suspect, this may not be what you are looking for. $ sudo ifconfig re0 group alvaro $ sudo ifconfig cdce0 group alvaro $ ifconfig to verify group names, then change your /etc/pf.conf to include: set loginterface alvaro reload rules: $ sudo pfctl -f /etc/pf.conf $ sudo pfctl -si That should give you stats for all interfaces belonging to the group alvaro. But, once again, this may not be what you want. That will give me the total amount of statistics for the group, right? That's not I want. I want to have separate statistics for the external interface and for the internal network. The firewall itself generates traffic that it is not related with the internal network. So, according to thisthere is no possible to get separate statistics for more than one interface or one groupright? --patrick Alvaro
Re: OpenBSD 4.5: pfctl -s info fails to give me the right interface statistics
Alvaro Mantilla Gimenez alv...@dydnetworks.com writes: That will give me the total amount of statistics for the group, right? That's not I want. I want to have separate statistics for the external interface and for the internal network. The firewall itself generates traffic that it is not related with the internal network. Well, in addition to the stuff henning mentioned, you could do things like use labels in your rules to collect statistics, or for that matter collect netflow data via pflow(4) and do all the data massaging you could possibly want based on the data you collect. Just my NOK 0.02. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD 4.5: pfctl -s info fails to give me the right interface statistics
Peter N. M. Hansteen escribis: Alvaro Mantilla Gimenez alv...@dydnetworks.com writes: That will give me the total amount of statistics for the group, right? That's not I want. I want to have separate statistics for the external interface and for the internal network. The firewall itself generates traffic that it is not related with the internal network. Well, in addition to the stuff henning mentioned, you could do things like use labels in your rules to collect statistics, or for that matter collect netflow data via pflow(4) and do all the data massaging you could possibly want based on the data you collect. Just my NOK 0.02. Uhyeap. I remembered to read about netflow in your book (very good by the way). I am already using labels on my rules. The point was to use pfstat to create the graphics (which is the way that I usually do) for each interface separately. Use netflow and the tools appropriated drive me in other direction to get the graphics. Thanks so much for your responses. Alvaro
Re: OpenBSD 4.5: pfctl -s info fails to give me the right interface statistics
On Fri, Oct 2, 2009 at 8:21 PM, Alvaro Mantilla Gimenez alv...@dydnetworks.com wrote: Hi, I found a wear behavior of pfctl. I have this pf.conf (I am going to show only the lines that matters): - external = cdce0 internal = re0 set loginterface $external set loginterface $internal - According to this both interfaces are collecting statistics...but if I run the command pfctl -s info then shows: I don't think that is true. I believe you can only 'set loginterface' for only one interface or interface-group: $ man pf.conf /loginterface set loginterface Enable collection of packet and byte count statistics for the given interface or interface group. $ man ifconfig /group group group-name Assign the interface to a ``group''. Any interface can be in multiple groups. might be what you are looking for. After that I commented the line #set loginterface $internal and then the output was this: Reverse the order of 'set loginterface ...' in your pf.conf and try `pfctl -si'. Does that reverse your findings? --patrick
