[RndTbl] Interface Monitoring
Shawn Wallbridge
shawn at synack-hosting.com
Wed Oct 13 01:29:00 CDT 2004
Just a follow up to the question I had during the meeting regarding
monitoring traffic. Dropping the interface into promiscuous mode didn't
help (btw, you need an IP assigned to an interface before OpenBSD will
allow you to use tcpdump on it).
Here is a recap of the problem....
I am setting up a machine to log usage of my colo clients. I already
have one that just uses ipfm and it works great, but I want to do
something a little more advanced. I saw an article by Randal L.
Schwartz [0] that showed how he used labels in pf to track usage. It
looks really nice and would allow me to do a bunch of things that my
clients would love (like have nice graphs of usage based on port etc.).
I set up the machine with OpenBSD 3.5 and it is sort of working, but
not exactly what it should.
The machine has two interfaces (int = tx0, ext = tx1), the external
interface doesn't have an IP bound to it and is plugged into a hub
between my switch and my provider (the same place as my ipfm machine
which is working fine). The internal interface is plugged into an
internal network.
The pf.conf file has the following (for now, it will get much larger
later):
-bash-2.05b# more /etc/pf.conf
pass in quick on tx1 proto tcp from any to 64.42.224.131 port = 80
label "synack-www" keep state
pass in quick on tx1 proto tcp from any to 64.42.224.131 port = 25
label "synack-smtp" keep state
pass in quick on tx1 proto tcp from any to 64.42.224.131 port = 143
label "synack-imap" keep state
pass in quick on tx1 proto tcp from any to 64.42.224.131 port = 53
label "synack-dns" keep state
pass in quick on tx1 proto udp from any to 64.42.224.131 port = 53
label "synack-dns-udp" keep state
pass in quick on tx1 proto tcp from any to 64.42.224.131 port = 22
label "synack-ssh" keep state
Using pfctl -vsl get the following:
bash-2.05b# pfctl -vsl
synack-www 369 0 0
synack-smtp 0 0 0
synack-imap 0 0 0
synack-dns 0 0 0
synack-dns-udp 0 0 0
synack-ssh 0 0 0
man pfctl [1] says that the first entry is the number of times the rule
has been evaluated, the second is the number of packets, and the third
is the bytes.
I thing pf isn't recording the traffic because the traffic isn't
actually going through the interface.
Any ideas?
thanks
shawn
[0] - http://www.stonehenge.com/merlyn/UnixReview/col51.html
[1] - "Show per-rule statistics (label, evaluations, packets, bytes) of
filter rules with labels, useful for accounting."
More information about the Roundtable
mailing list