traffic accounting

Max Laier max at love2party.net
Fri Mar 18 05:03:12 PST 2005 

On Friday 18 March 2005 12:41, stephen wrote:
> Hi all,
>
> Tried sending this mail earlier, if it came through twice apologies in
> advance.

It did, but never mind.

> Having a little difficulty regarding traffic counting.
>
> I have a macro ($soh) with about 30 IPs in it.. The first problem I
> was having was that:
> pass out on $ext_if from $soh to any keep state label "$srcaddr:: "
> was not passing traffic. (nat changing source address before reaching
> filtering rules)
>
> Someone then recommended having the following instead:
> pass in  on $int_if from $soh to any keep state label "$srcaddr:: "
> pass out on $ext_if from any to any keep state label "total::  "
>
> which is now letting traffic out with the pass out rule, but the pass
> in rule is not counting traffic... whenever doing "pftcl -sl" I can
> see the "total::" label rising as more bandwidth is used, but all the
> other labels for all the private IPs remain on zero.

Generally speaking, I'd think that there is a error in your ruleset that 
prevents this rule from being evaluated.  Use $pfctl -vsr and check if the 
rule(s) match at all.  If you are dealing with 10+ IPs I'd also suggest to 
look at tables.  They are not only quicker (by an order of magnitude) but 
also provide per IP counters for traffic that might just give you what you 
want.  See the FAQ for details on tables.

> I did get a step closer earlier this morning...  Managed to count
> traffic from the source addresses 100%, but I couldn't account for the
> web traffic (which is 80% of the traffic) as I have a rdr rule that
> redirects all traffic for port 80 via localhost port 3128 to
> proxy/cache webpages.

In any case the traffic must come in from the local side first (as I think 
that you are only dealing with connections initiated from the clients you are 
accounting for).  This traffic can always be filtered and accounted for.

> Could someone possibly help rectify this?
> (they are also the last rules in the ruleset so the "last match wins"
> is correct)

"quick" might mess you up?  Please post your *complete* ruleset when you want 
help debugging it.  It's only fishing in the dark if you don't give details.  
Obfuscate your static IP if you think you have to, but post the complete 
thing or people are not able to help.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050318/63aa6a01/attachment.bin

More information about the freebsd-pf mailing list