ng_netflow and bridging firewall

Ganbold ganbold at micom.mng.net
Thu Sep 1 03:55:16 GMT 2005 

Gleb,

Thanks for reply. However as long as I run ngctl commands to create the 
graph in order to catch both outgoing and incoming
traffic ipfw started work abnormally. Basically all my customers complained 
that they couldn't connect to Internet.
Because I'm running bridge firewall, is this due to ng_ether and bridge(4) 
bug you mentioned? Or it is something else?
Where can I find the bug info?

# uname -an
FreeBSD machine.mng.net 5.4-STABLE FreeBSD 5.4-STABLE #4: Fri Aug 12 
09:58:18 ULAST 2005     tsgan at machine.mng.net:/usr/obj/usr/src/sys/PRXY  i386

thanks,

Ganbold


At 06:28 PM 8/31/2005, you wrote:
>On Wed, Aug 31, 2005 at 05:50:21PM +0900, Ganbold wrote:
>G> At 08:10 PM 8/30/2005, you wrote:
>G> >On Tue, Aug 30, 2005 at 07:30:09PM +0900, Ganbold wrote:
>G> >G> ngctl mkpeer xl1: tee lower right
>G> >G> ngctl connect xl1: xl1:lower upper left
>G> >G> ngctl name xl1:lower xl1_tee
>G> >G> ngctl mkpeer xl1_tee: netflow left2right iface0
>G> >G> ngctl name xl1:lower.left2right netflow
>G> >G> ngctl connect xl1_tee: netflow: right2left iface1
>G> >G> ngctl msg netflow: setifindex { iface=0 index=2 }
>G> >G> ngctl msg netflow: setifindex { iface=1 index=1 }
>G> >G> ngctl mkpeer netflow: ksocket export inet/dgram/udp
>G> >G> ngctl msg netflow:export connect inet/127.0.0.1:8818
>G> >G>
>G> >G> I'm just using second xl1 interface for ng_netflow. However when I see
>G> >the
>G> >G> flow data I can only see my network addresses in
>G> >G> the dstIP field. Is it correct? I thought both srcIP, dstIP should
>G> >contain
>G> >G> my IPs,  because I'm trying to catch traffic which goes both 
>directions
>G> >of
>G> >G> xl1. Is my assumption correct? If I'm wrong, how to make it work in
>G> >correct
>G> >G> way?
>G> >
>G> >No. Look at ng_ether(4) manpage, and draw your graph. You are catching 
>only
>G> >one direction with the above script.
>G>
>G> OK. I see. I'm catching only incoming traffic to xl1 interface.
>G> I can see it from ngctl issuing msg xl1_tee: getstats command and also
>G> flowctl netflow: show command.
>G>
>G> I read the ng_ether man page and didn't quite get it.
>G>
>G> I'm including xl0 interface in similar way as xl1.
>G> Is following sufficient for catching outgoing traffic?
>G>
>G> ngctl mkpeer xl0: tee lower right
>G> ngctl connect xl0: xl0:lower upper left
>G> ngctl name xl0:lower xl0_tee
>G> ngctl mkpeer xl0_tee: netflow left2right iface2
>G> ngctl name xl0:lower.left2right netflow0
>G> ngctl msg netflow0: setifindex { iface=2 index=4 }
>G> ngctl connect xl0_tee: netflow0: right2left iface3
>G> ngctl msg netflow0: setifindex { iface=3 index=3 }
>G> ngctl mkpeer netflow0: ksocket export inet/dgram/udp
>G> ngctl msg netflow0:export connect inet/127.0.0.1:8818
>
>Looks like correct.
>
>G> The graph is something like:
>G>
>G>         ng_ether
>G> upper   |               |lower
>G> left    |       |right
>G>           ng_tee
>G> right2left|     |left2right
>G> iface0    |     |iface1
>G>          ng_netflow
>G>
>G> Maybe I did something wrong. How should I do it in right way?
>G> I googled and didn't find good source/samples of ng_netflow.
>G>
>G> thanks in advance,
>G>
>G> Ganbold
>G>
>G>
>
>--
>Totus tuus, Glebius.
>GLEBIUS-RIPN GLEB-RIPE
>_______________________________________________
>freebsd-isp at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"

More information about the freebsd-ipfw mailing list