[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: can you help me meashuring traffic using OpenBSD's pf?

Maybe I'm missing something about your requirements, but why not just us MRTG?
It will measure input/output on as many interfaces as you want. 
Since all it *really* does is graph data, it can also be used to
measure virtually anything.
It is relatively easy to create scripts that gather data about the
state of pf (via calls to pfctl -si etc) and feed it into MRTG. No
need to use loginterface or pfstat.
There is a ton of documentation out there for MRTG, but start here:
On Thu, 24 Mar 2005 14:58:51 +0300, Eugene M. Minkovskii <[email protected]> wrote:
> On Thu, Mar 24, 2005 at 01:40:53AM -0800, Ian wrote:
> " Hmm, yeah this gets difficuilt.  If you have extra computers, you
> " could setup an IPless box running pf with just two rules, pass all
> " out, pass all in, and then label each and measure based on that.  But
> " that's just another box to manage and such, and i'm sure there's
> " better ways to measure the traffic from the pf box itself, if not
> " directly from pf.  what about the output from pfctl -s info? i.e.:
> "
> " Interface Stats for fxp1              IPv4             IPv6
> "   Bytes In                      8361381434                0
> "   Bytes Out                      591564563              352
> "
> "
> " could you use that information?
> "
> Yes, it can help me and I do this in one of networks, were I'm
> system administrator. But I has other network where gateway has 3
> network interface (I wrote this some time ago to David in this
> tread). I can't set loginterface more than one. So now I have
> following plan:
> # macros
> ext_if="rl0"
> int_if1="rl1" ## <= for first department of our companie
> int_if2="rl2" ## <= for second department of our companie
> # options
> set loginterface $ext_if
> # rules
> block all on $ext_if
> pass out on $ext_if from any to any keep state
> <...other rules with keep state feature on $ext_if...>
> # this is the end of brandmauer rules
> pass out all in  $int_if1 label DEPARTMENT_1_IN
> pass out all out $int_if1 label DEPARTMENT_1_OUT
> pass out all in  $int_if2 label DEPARTMENT_2_IN
> pass out all out $int_if2 label DEPARTMENT_2_OUT
> For the first looking last four rules can labeled inbound and
> outbound traffic on the internal interfaces. This mean, I can
> gather total traffic informaition using pfctl -si command, and
> internal traffic information using labels.
> BUT!
> When internal mashin in first department make connection to the
> internet, this connection puts into state table and don't pass
> into labeled rules.
> I'm afraid that this trouble can't be solve using pf. So I have
> ten days to think about, and after that, I will be forced to
> install ipcad or other similar program.
> --
> Sensory  yours, Eugene  Minkovskii
> Сенсорно ваш,   Евгений Миньковский