ipfw count rules to count traffic to virtual ip's
Steve Bertrand
iaccounts at ibctech.ca
Tue Jul 6 06:45:35 PDT 2004
> Ok then I get it..
>
> I thought ipfw was also able to have a ip address there instead of only
> a interface.
> Thanks
Nope, I was wrong...
# man ipfw [snipped]
recv | xmit | via {ifX | if* | ipno | any}
Matches packets received, transmitted or going through, respec-
tively, the interface specified by exact name (ifX), by device
name (if*), by IP address, or through some interface.
I just found the latter rules to be a little more clear and precise.
Perhaps someone else can shed light on the failure, but it's just nice to
know that you're up and achieving the results you desired ;)
Steve
>
>
>
> Steve Bertrand wrote:
>
>>>Well :
>>>
>>>This won't work:
>>>ipfw add 00010 count tcp from any to any via 1.1.1.1
>>>ipfw add 00011 count tcp from any to any in recv 1.1.1.1
>>>ipfw add 00012 count tcp from any to any out xmit 1.1.1.1
>>>ipfw add 00016 count tcp from any to any via 2.2.2.2
>>>ipfw add 00017 count tcp from any to any in recv 2.2.2.2
>>>ipfw add 00018 count tcp from any to any out xmit 2.2.2.2
>>>
>>>
>>>This works:
>>>ipfw add 00022 count tcp from 1.1.1.1 to any
>>>ipfw add 00023 count tcp from any to 1.1.1.1
>>>ipfw add 00024 count tcp from 2.2.2.2 to any
>>>ipfw add 00025 count tcp from any to 2.2.2.2
>>>
>>>Is ipfw unable to count ip traffic on that way ? or is it just unlogical
>>>how i am doing it..
>>>
>>>
>>
>>It didn't seem logical to me. Anything after via, xmit, or recv should be
>>an interface name (or alias) as this is what ipfw expects to see. The
>>actual addressing should be located within the to/from portion of the
>>rule.
>>
>>You can even go farther and count port usage as well. Say for instance,
>>you want to get an idea of how much http(s) traffic there is generated on
>>1.1.1.1 :
>>
>>ipfw add 00100 count tcp from any to 1.1.1.1 80,443
>>
>>Regards,
>>
>>STeve
>>
>>
>>
>>
>>>
>>>Steve Bertrand wrote:
>>>
>>>
>>>
>>>>>Anyone ?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Hello,
>>>>>>
>>>>>>I'm trying to setup ipfw to count traffic to each ip on the server
>>>>>> (one
>>>>>>interface with multiple aliased ip's)
>>>>>>
>>>>>>now it seems that the count rules are about the same for each ip
>>>>>> while
>>>>>>this isn't the truth..
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>Are these the exact rules, or does # ipfw show mix them up a bit?
>>>>
>>>>For instance:
>>>>
>>>># ipfw add 10000 count tcp from any to 1.1.1.1
>>>>
>>>>*should* count all tcp traffic destined for 1.1.1.1, and likewise,
>>>>
>>>># ipfw add 11000 count tcp from 1.1.1.1 to any
>>>>
>>>>*should* count all tcp traffic from the IP.
>>>>
>>>>If ipfw show is conveluting the rules a bit, you might start by sending
>>>>in
>>>>a small sample of your ruleset.
>>>>
>>>>Just a thought...
>>>>
>>>>Steve
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>>00007 7715117 6712750640 count ip from any to any via fxp0
>>>>>>00008 2953770 167284959 count ip from any to any in recv fxp0
>>>>>>00009 4761341 6545462313 count ip from any to any out xmit fxp0
>>>>>>00010 7707303 6712093431 count tcp from any to any via 1.1.1.1
>>>>>>00011 2948103 166773748 count tcp from any to any in recv 1.1.1.1
>>>>>>00012 4759198 6545319411 count tcp from any to any out xmit 1.1.1.1
>>>>>>00016 7707299 6712092983 count tcp from any to any via 2.2.2.2
>>>>>>00017 2948101 166773668 count tcp from any to any in recv 2.2.2.2
>>>>>>00018 4759195 6545319003 count tcp from any to any out xmit 2.2.2.2
>>>>>>00022 2842887 145092334 count tcp from any to any 80 via fxp0
>>>>>>
>>>>>>As you can see the traffic for ip 1.1.1.1 and ip 2.2.2.2 are about
>>>>>> the
>>>>>>same while ip 2.2.2.2 is actually doing nothing (all ports are
>>>>>> blocked
>>>>>>cause its not active yet)
>>>>>>
>>>>>>What is going wrong here ? how come ipfw counts the same traffic for
>>>>>>each ip..
>>>>>>
>>>>>>Also rule 22 from "any to any 80" shows only a few hundred megs
>>>>>>traffic
>>>>>>while 95% of all the traffic on the server is http traffic from
>>>>>>website's so this should be atleast around the 5GB of traffic instead
>>>>>>of
>>>>>>a few hundred megs..
>>>>>>
>>>>>>Any idea's ??
>>>>>>
>>>>>>Thanks
>>>>>>
>>>>>>m.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>_______________________________________________
>>>>>freebsd-questions at freebsd.org mailing list
>>>>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>>>To unsubscribe, send any mail to
>>>>>"freebsd-questions-unsubscribe at freebsd.org"
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>_______________________________________________
>>>>freebsd-questions at freebsd.org mailing list
>>>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>>To unsubscribe, send any mail to
>>>>"freebsd-questions-unsubscribe at freebsd.org"
>>>>
>>>>
>>>>
>>>>
>>>_______________________________________________
>>>freebsd-questions at freebsd.org mailing list
>>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>To unsubscribe, send any mail to
>>>"freebsd-questions-unsubscribe at freebsd.org"
>>>
>>>
>>>
>>
>>
>>_______________________________________________
>>freebsd-questions at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe at freebsd.org"
>>
>>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list