[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: can you help me meashuring traffic using OpenBSD's pf?



On Thu, Mar 24, 2005 at 01:40:53AM -0800, Ian wrote:
" Hmm, yeah this gets difficuilt.  If you have extra computers, you
" could setup an IPless box running pf with just two rules, pass all
" out, pass all in, and then label each and measure based on that.  But
" that's just another box to manage and such, and i'm sure there's
" better ways to measure the traffic from the pf box itself, if not
" directly from pf.  what about the output from pfctl -s info? i.e.:
" 
" Interface Stats for fxp1              IPv4             IPv6
"   Bytes In                      8361381434                0
"   Bytes Out                      591564563              352
" 
" 
" could you use that information?
" 
Yes, it can help me and I do this in one of networks, were I'm
system administrator. But I has other network where gateway has 3
network interface (I wrote this some time ago to David in this
tread). I can't set loginterface more than one. So now I have
following plan:
# macros
ext_if="rl0"
int_if1="rl1" ## <= for first department of our companie
int_if2="rl2" ## <= for second department of our companie
# options
set loginterface $ext_if
# rules
block all on $ext_if
pass out on $ext_if from any to any keep state
<...other rules with keep state feature on $ext_if...>
# this is the end of brandmauer rules
pass out all in  $int_if1 label DEPARTMENT_1_IN
pass out all out $int_if1 label DEPARTMENT_1_OUT
pass out all in  $int_if2 label DEPARTMENT_2_IN
pass out all out $int_if2 label DEPARTMENT_2_OUT
For the first looking last four rules can labeled inbound and
outbound traffic on the internal interfaces. This mean, I can
gather total traffic informaition using pfctl -si command, and
internal traffic information using labels.
BUT!
When internal mashin in first department make connection to the
internet, this connection puts into state table and don't pass
into labeled rules.
I'm afraid that this trouble can't be solve using pf. So I have
ten days to think about, and after that, I will be forced to
install ipcad or other similar program.
-- 
Sensory  yours, Eugene  Minkovskii
Сенсорно ваш,   Евгений Миньковский