pflow and NAT
Hello, I've been using pflow in a non-NAT environment (btw, thanks for both the pf support and the other OS softflowd), but now I'd like to use it in a NAT configuration. Is there a particular way pflow needs to be configured to see which of the NAT'ed hosts are talking to which external address? (The way I've configured it[*] it appears that I only see external flows post-NAT.) I see a similar question has been asked before, by Chris Cappuccio on tech@, but I didn't see any answers, so I'm braving a question here. Tor [*] Which has a good chance of being wrong. On 5.2 on an old G4: ext_if=vlan100 int_if=vlan200 dmz_if=vlan300 svc_if=vlan600 .. block rules here .. pass out on $ext_if from any to any nat-to ($ext_if) keep state (pflow) pass out on $svc_if keep state (pflow) pass out on $dmz_if keep state (pflow) pass out on $int_if keep state (pflow) # do i need to add (pflow) to these too, perhaps? pass in on $int_if keep state pass in on $dmz_if keep state pass in on $svc_if keep state
Re: pflow and NAT
You need to place the pflow directive on rules on the inside interface not on the outside interface to see RFC1918 addresses. Rules on the outside interface are processed 'post' nat.. NB; 'keep state' is the default, so you don't need to define this unless you are explicitly setting something different to the defaults (like pflow). Alternatively think about adding 'set state-defaults pflow' Andy. On Thu 23 Jan 2014 08:42:04 GMT, Tor Houghton wrote: Hello, I've been using pflow in a non-NAT environment (btw, thanks for both the pf support and the other OS softflowd), but now I'd like to use it in a NAT configuration. Is there a particular way pflow needs to be configured to see which of the NAT'ed hosts are talking to which external address? (The way I've configured it[*] it appears that I only see external flows post-NAT.) I see a similar question has been asked before, by Chris Cappuccio on tech@, but I didn't see any answers, so I'm braving a question here. Tor [*] Which has a good chance of being wrong. On 5.2 on an old G4: ext_if=vlan100 int_if=vlan200 dmz_if=vlan300 svc_if=vlan600 .. block rules here .. pass out on $ext_if from any to any nat-to ($ext_if) keep state (pflow) pass out on $svc_if keep state (pflow) pass out on $dmz_if keep state (pflow) pass out on $int_if keep state (pflow) # do i need to add (pflow) to these too, perhaps? pass in on $int_if keep state pass in on $dmz_if keep state pass in on $svc_if keep state
Re: pflow and NAT
You want revision 1.30 of if_pflow.c export the original aka untranslated address in pflow ok florian@ henning@ ~ http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflow.c#rev1.30 (and by that I don't mean you should backport it to 5.2, upgrading to 5.4 will be much easier - alot has changed ;) ) -- I'm not entirely sure you are real.
Re: pflow and NAT
Awesome, didn't know this had been done :) On Thu 23 Jan 2014 09:29:38 GMT, Florian Obser wrote: You want revision 1.30 of if_pflow.c export the original aka untranslated address in pflow ok florian@ henning@ ~ http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflow.c#rev1.30 (and by that I don't mean you should backport it to 5.2, upgrading to 5.4 will be much easier - alot has changed ;) )
Re: pflow and NAT
On Thu, Jan 23, 2014 at 09:29:38AM +, Florian Obser wrote: You want revision 1.30 of if_pflow.c export the original aka untranslated address in pflow ok florian@ henning@ ~ http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflow.c#rev1.30 (and by that I don't mean you should backport it to 5.2, upgrading to 5.4 will be much easier - alot has changed ;) ) Andy, Florian, Thank you kindly - will do this. Tor
