Re: OpenBSD's pf and traffic
Eugene M. Minkovskii [EMAIL PROTECTED] writes: pf@benzedrine.cx is it mail-list or private e-mail. Does I need to register anywhere before mail to it? pf@benzedrine.cx is a mailing list, which I think allows posting by non-subscribers, but obviously you may want to sign up to make sure you get any replies sent to the list only. Anyway the mailing list's home page is at http://www.benzedrine.cx/mailinglist.html (Sorry for the delay - bgnett's mail servers apparently were a bit overwhelmed some worm or other, leaving useful traffic queued rather longer than I appreciate.) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD's pf and traffic
Sorry, it's again I. So, I was trying to modify my OpenBSD pf brandmauer to collect me information about traffic. Now I has following rules: pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state So, where could I put label to mark inbound traffic? This traffic goes into my machine because I use state table. -- Sensory yours, Eugene Minkovskii , ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD's pf and traffic
Eugene M. Minkovskii [EMAIL PROTECTED] writes: pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state So, where could I put label to mark inbound traffic? This traffic goes into my machine because I use state table. I'd say something along the lines of allowed_out = { ssh, domain, http, https, etc... } pass out on $ext_if proto tcp $allowed_out label allowed-out keep state you could differentiate among source addresses, for example by specifying client1 = { 192.68.n.1, 192.168.n.2 } client1 = { 192.68.n.3, 192.168.n.4 } client2_inports = { whatever they need } pass out on $ext_if from $client1 to any proto tcp $allowed_out \ label client1 keep state pass out on $ext_if from $client2 to any proto tcp $allowed_out \ label client2-out keep state pass from any to $client2 $client2_inports label client2-in keep state and so on. Hope this helps. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD's pf and traffic
On Tue, Mar 22, 2005 at 01:18:27PM +0100, Peter N. M. Hansteen wrote: Eugene M. Minkovskii [EMAIL PROTECTED] writes: I'd say something along the lines of allowed_out = { ssh, domain, http, https, etc... } pass out on $ext_if proto tcp $allowed_out label allowed-out keep state you could differentiate among source addresses, for example by specifying client1 = { 192.68.n.1, 192.168.n.2 } client1 = { 192.68.n.3, 192.168.n.4 } client2_inports = { whatever they need } pass out on $ext_if from $client1 to any proto tcp $allowed_out \ label client1 keep state pass out on $ext_if from $client2 to any proto tcp $allowed_out \ label client2-out keep state pass from any to $client2 $client2_inports label client2-in keep state and so on. Hope this helps. Just a moment, does it mean that your last rule allow any incoming connections from world to clients if thay matched by client2_inports, ANY, not only connections opened by clients? Moreover, I read in documentation, that state table reads BEFORE rules, and connections that opened by clients in first rule: pass out on $ext_if from $client1 to any proto tcp $allowed_out \ label client2 keep state whill not marked by label client2-in because thay don't pass to this rule. Am I right? -- Sensory yours, Eugene Minkovskii , ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD's pf and traffic
Eugene M. Minkovskii [EMAIL PROTECTED] writes: Just a moment, does it mean that your last rule allow any incoming connections from world to clients if thay matched by client2_inports, ANY, not only connections opened by clients? That rule would let new connections from anywhere pass on the allowed ports to the clients. This might be useful mainly if your firewall is between the world and one or more servers, though. Moreover, I read in documentation, that state table reads BEFORE rules, and connections that opened by clients in first rule: pass out on $ext_if from $client1 to any proto tcp $allowed_out \ label client2 keep state whill not marked by label client2-in because thay don't pass to this rule. Am I right? In a word, yes. The 'keep state' in these examples, would AFAIK mean that the counters would keep track of all traffic for a connection, so traffic initiated from the inside would match the pass out rule's counters, while connections opened from the outside would count on the pass in rules. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD's pf and traffic
In a word, yes. The 'keep state' in these examples, would AFAIK mean that the counters would keep track of all traffic for a connection, so traffic initiated from the inside would match the pass out rule's counters, while connections opened from the outside would count on the pass in rules. Unfortunely, this mean, that OpenBSD's pf can not measure traffic, because we can not separate incoming and outgoing traffic in bidirectional rule. Or we must not use keep state feature. -- Sensory yours, Eugene Minkovskii , ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD's pf and traffic
Eugene M. Minkovskii [EMAIL PROTECTED] writes: Unfortunely, this mean, that OpenBSD's pf can not measure traffic, because we can not separate incoming and outgoing traffic in bidirectional rule. Or we must not use keep state feature. I think I understand what you mean - you do not want per connection statistics, you want packets passed by direction, regardless of which side initiated the traffic, subdivided by pass rule. At the moment I'm not sure how to put that into pf.conf rules, but you may want to go where the real pf experts hang out - pf@benzedrine.cx - and see if there's an angle we haven't thought of. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD's pf and traffic
On Tue, Mar 22, 2005 at 02:28:09PM +0100, Peter N. M. Hansteen wrote: Eugene M. Minkovskii [EMAIL PROTECTED] writes: Unfortunely, this mean, that OpenBSD's pf can not measure traffic, because we can not separate incoming and outgoing traffic in bidirectional rule. Or we must not use keep state feature. I think I understand what you mean - you do not want per connection statistics, you want packets passed by direction, regardless of which side initiated the traffic, subdivided by pass rule. At the moment I'm not sure how to put that into pf.conf rules, but you may want to go where the real pf experts hang out - pf@benzedrine.cx - and see if there's an angle we haven't thought of. Yes, now you understand me right. Sorry my bad english :). pf@benzedrine.cx is it mail-list or private e-mail. Does I need to register anywhere before mail to it? -- Sensory yours, Eugene Minkovskii , ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD's pf and traffic
Sure you can check out IP accountingit's a great tool for web hosters and such, and they have an pf module http://ipa-system.sourceforge.net/ Jorge Mario Mazo _ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD's pf and traffic
On Mon, Mar 21, 2005 at 08:54:35AM +0100, Peter N. M. Hansteen wrote: Eugene M. Minkovskii [EMAIL PROTECTED] writes: block in log on $ext_ip inet from any to $ext_ip label $ext_ip pass in on $ext_ip inet from any to $ext_ip port 22 keep sate As you can see, ssh packets match to all rule and pass in because last rule win. Does it mean, that I can't see ssh's packet using command # pfctl -sl here you label the blocked packets but not the ones you pass, which means your ssh packets would count toward the packets passed counter only. And if I use block in log on $ext_ip inet from any to $ext_ip label $ext_ip pass in on $ext_ip inet from any to $ext_ip port 22 keep sate label $ext_ip ... I see label twice ? No. But both rules would increment the $ext_ip counter, which means that your $ext_ip counter would be essentially packet totals. Last matching rule wins (with state instead of sate it would work), so each packet increments the relevant counters only once. I was trying some experiments... It seems to me you are right in all except one: second line don't increase $ext_ip counter, but... add other counter with same name: # pfctl -sr | grep label block in log on $ext_if inet from any to $ext_if label $ext_if block in log quick on $ext_if inet from crackers to $ext_if label $ext_if pass in on $ext_if inet proto tcp from any to $ext_if port = ssh flags S/SA keep state label $ext_if pass in on $ext_if inet proto tcp from any to $ext_if port = smtp flags S/SA keep state label $ext_if pass in on $ext_if inet proto tcp from any to $ext_if port = auth flags S/SA keep state label $ext_if pass in on $ext_if inet proto tcp from any port = ftp-data to $ext_if user = 62 flags S/SA keep state label $ext_if # pfctl -vsl rl0 48703 10 936 rl0 26095 0 0 rl0 25845 776 81479 rl0 29 25 2952 rl0 29 0 0 rl0 29 0 0 But, of course, this output is scriptable. (I can sum this numbers in pyhon or bc) Perhaps you know where I can find workable example of this? Randal Schwartz has a nice article called Monitoring Net Traffic with OpenBSD's Packet Filter at http://www.samag.com/documents/s=9053/sam0403j/0403j.htm Thanks -- Sensory yours, Eugene Minkovskii , ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
OpenBSD's pf and traffic
Hello! Does any body know, how can I use OpenBSD's pf (packet filter) for determine total traffic volume on network interface? If it's impossible, what facility you recommend me to do this? -- Sensory yours, Eugene Minkovskii , ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD's pf and traffic
Eugene M. Minkovskii wrote: Hello! Does any body know, how can I use OpenBSD's pf (packet filter) for determine total traffic volume on network interface? If it's impossible, what facility you recommend me to do this? I don't realy know if it is impossible to use PF for monitoring the total traffic. But you can ( just as I do ) use MRTG ( Multi Router Traffic ) to keep track of the amount of data which you are using. It renders html-documents. By default MRTG only keeps track of the current bandwith-usage with a script which is known as 'mrtg-totals' you can also get graphs of the total amount of traffic. See www.mrtg.org and http://freebsd.munk.nu/archives/157-MRTG-Totals-Perl-Script.html Good Luck Frank Staals ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD's pf and traffic
Eugene M. Minkovskii pe v ne 20. 03. 2005 v 12:31 +0300: Hello! Does any body know, how can I use OpenBSD's pf (packet filter) for determine total traffic volume on network interface? If it's impossible, what facility you recommend me to do this? I don't know much about pf, but I use ipfw and /usr/ports/sysutils/ipa for the purpose. Works very well for me. IPFW itself has counters but ipa makes the stats persist across reboots and changes to the ruleset. Be carefull not to reconfigure ipfw from under running ipa - it will think the counters overflowed and add huge numbers to the last known value. Additionally ipa can do much more than just simple counters. I configure it like this: ipfw: 100 add allow all from any to any in via xl0 110 add allow all from any to any out via xl0 ipa(/usr/local/etc/ipa.conf): rule xl0-in { ipfw = 100 info = Incoming traffic for xl0 } rule xl0-out { ipfw = 110 info = Outgoing traffic for xl0 } HTH Michal Mertl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD's pf and traffic
Eugene M. Minkovskii [EMAIL PROTECTED] writes: Does any body know, how can I use OpenBSD's pf (packet filter) for determine total traffic volume on network interface? If it's impossible, what facility you recommend me to do this? Various pfctl -s options (eg pfctl -s info) give you counters of bytes and packets passed or blocked. If you use labels in your pass rules, you'll get per label counters as well. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD's pf and traffic
On Sun, Mar 20, 2005 at 05:51:58PM +0100, Peter N. M. Hansteen wrote: Eugene M. Minkovskii [EMAIL PROTECTED] writes: Does any body know, how can I use OpenBSD's pf (packet filter) for determine total traffic volume on network interface? If it's impossible, what facility you recommend me to do this? Various pfctl -s options (eg pfctl -s info) give you counters of bytes and packets passed or blocked. If you use labels in your pass rules, you'll get per label counters as well. Thank you, Peter. So, now I can define rule like block in log on $ext_ip inet from any to $ext_ip label $ext_ip pass in on $ext_ip inet from any to $ext_ip port 22 keep sate As you can see, ssh packets match to all rule and pass in because last rule win. Does it mean, that I can't see ssh's packet using command # pfctl -sl And if I use block in log on $ext_ip inet from any to $ext_ip label $ext_ip pass in on $ext_ip inet from any to $ext_ip port 22 keep sate label $ext_ip ... I see label twice ? Perhaps you know where I can find workable example of this? -- Sensory yours, Eugene Minkovskii , ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: OpenBSD's pf and traffic
Eugene M. Minkovskii [EMAIL PROTECTED] writes: block in log on $ext_ip inet from any to $ext_ip label $ext_ip pass in on $ext_ip inet from any to $ext_ip port 22 keep sate As you can see, ssh packets match to all rule and pass in because last rule win. Does it mean, that I can't see ssh's packet using command # pfctl -sl here you label the blocked packets but not the ones you pass, which means your ssh packets would count toward the packets passed counter only. And if I use block in log on $ext_ip inet from any to $ext_ip label $ext_ip pass in on $ext_ip inet from any to $ext_ip port 22 keep sate label $ext_ip ... I see label twice ? No. But both rules would increment the $ext_ip counter, which means that your $ext_ip counter would be essentially packet totals. Last matching rule wins (with state instead of sate it would work), so each packet increments the relevant counters only once. Perhaps you know where I can find workable example of this? Randal Schwartz has a nice article called Monitoring Net Traffic with OpenBSD's Packet Filter at http://www.samag.com/documents/s=9053/sam0403j/0403j.htm -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]