ng_netflow and bridging firewall

Gleb Smirnoff glebius at FreeBSD.org
Tue Aug 30 11:10:54 GMT 2005 

On Tue, Aug 30, 2005 at 07:30:09PM +0900, Ganbold wrote:
G> I'm newbie to ng_netflow and I'm trying to collect Netflow traffic from 
G> FreeBSD 5.4 machine. Collector (flow-tools) runs on same machine.
G> This FreeBSD has 3 interfaces and it acts as bridging firewall using IPFW2.
G> It also uses dummynet.
G> 
G> host# ifconfig
G> xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
G>         options=9<RXCSUM,VLAN_MTU>
G>         ether 00:10:5a:5b:e5:e3
G>         media: Ethernet 100baseTX <full-duplex>
G>         status: active
G> xl1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
G>         options=9<RXCSUM,VLAN_MTU>
G>         ether 00:04:76:dc:7f:d1
G>         media: Ethernet 100baseTX <full-duplex>
G>         status: active
G> vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
G>         inet x.x.x.x netmask 0xffffffe0 broadcast x.x.x.x
G>         ether 00:0b:6a:24:f6:ab
G>         media: Ethernet autoselect (100baseTX <full-duplex>)
G>         status: active
G> 
G> I'm running ng_netflow module and ngctl with following parameters:
G> 
G> ngctl mkpeer xl1: tee lower right
G> ngctl connect xl1: xl1:lower upper left
G> ngctl name xl1:lower xl1_tee
G> ngctl mkpeer xl1_tee: netflow left2right iface0
G> ngctl name xl1:lower.left2right netflow
G> ngctl connect xl1_tee: netflow: right2left iface1
G> ngctl msg netflow: setifindex { iface=0 index=2 }
G> ngctl msg netflow: setifindex { iface=1 index=1 }
G> ngctl mkpeer netflow: ksocket export inet/dgram/udp
G> ngctl msg netflow:export connect inet/127.0.0.1:8818
G> 
G> I'm just using second xl1 interface for ng_netflow. However when I see the 
G> flow data I can only see my network addresses in
G> the dstIP field. Is it correct? I thought both srcIP, dstIP should contain 
G> my IPs,  because I'm trying to catch traffic which goes both directions of 
G> xl1. Is my assumption correct? If I'm wrong, how to make it work in correct 
G> way?

No. Look at ng_ether(4) manpage, and draw your graph. You are catching only
one direction with the above script.

G> Another issue is firewall dynamic rules count almost doubles when starts 
G> ng_netflow traffic. Is it correct?
G> How can I fix this?

I know that bridge(4) has a conflict with ng_ether(4). This is fixed in RELENG_6,
and is not going to be fixed in RELENG_5 due to ABI freeze. You can
try 6.0-BETA3 in this configuration.

Probably the your ipfw problem is related to this conflict between bridge
and ng_ether.

G> Also how can I include first interface xl0 to the ng_netflow configuration?

Read the netgraph manual pages and draw graph, then change the script so that
a new graph is built.

-- 
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE

More information about the freebsd-isp mailing list