ng_netflow on PF + CARP firewall question
shinny knight
sh1nny_kn1ght at yahoo.com
Thu Dec 6 10:08:02 PST 2007
Hello all,
I'm trying to use ng_netflow module along with PF+CARP implementation on freebsd 6.2.
I understand from different posts that ng_netflow module is performing quite well and does not add so much cpu load since packets are processed in the kernel.
However, ng_netflow documentation is very confusing for begginers and I'm having a hard time to figure it out.
Like mentioned before, I have PF+CARP implementation along with /usr/ports/net/ifstated port. This part is tested and is working fine. (If anybody wants advice here feel free to ask:) )
I'm wonder if it's a good ideea to add ng_netflow on top of it or should I use an additional system with TAP interface and just mirror incoming/outgoing traffic from switch.
This is what I want to try for ng_netflow:
cat /boot/loader.conf
ng_ether_load="YES"
ng_ksocket_load="YES"
ng_tee_load="YES"
ng_socket_load="YES"
ng_netflow_load="YES"
cat /etc/rc.conf |grep ng
ng_netflow_enable="YES"
cat /usr/local/etc/rc.d/ng_netflow
#!/bin/sh
#
# PROVIDE: ng_netflow
# REQUIRE: DAEMON
. /etc/rc.subr
name="ng_netflow"
rcvar=`set_rcvar`
ng_netflow_start()
{
echo "Starting ${name}."
/usr/sbin/ngctl -f- <<-SEQ
mkpeer bge2: tee lower right
connect bge2: bge2:lower upper left
name bge2:lower bge2_tee
mkpeer bge2_tee: netflow left2right iface0
name bge2:lower.left2right netflow
connect bge2_tee: netflow: right2left iface1
msg netflow: setifindex { iface=0 index=2 }
msg netflow: setifindex { iface=1 index=1 }
mkpeer netflow: ksocket export inet/dgram/udp
msg netflow:export connect inet/127.0.0.1:8818
mkpeer bge1: tee lower right
connect bge1: bge1:lower upper left
name bge1:lower bge1_tee
mkpeer bge1_tee: netflow left2right iface2
name bge1:lower.left2right netflow0
msg netflow0: setifindex { iface=2 index=4 }
connect bge1_tee: netflow0: right2left iface3
msg netflow0: setifindex { iface=3 index=3 }
mkpeer netflow0: ksocket export inet/dgram/udp
msg netflow0:export connect inet/127.0.0.1:8818
SEQ
}
ng_netflow_stop()
{
echo "Stopping ${name}."
/usr/sbin/ngctl -f- <<-SEQ
shutdown netflow:
SEQ
}
start_cmd="ng_netflow_start"
stop_cmd="ng_netflow_stop"
load_rc_config $name
: ${ng_netflow_enable="NO"}
run_rc_command "$1"
As can be seen from above script I'm planning sending packets on localhost port 8818 first.
Is the above configuration correct?
It will affect in any way PF+CARP implementation regardging the fact that I'm not using CARP inetrfaces with ng_netflow but physical ones like bge1 and bge2? (I want to mention here that I'm not planning using ng_netflow on pf_sync interface)
Should I stick with solutions from ports like softflowd & similar?
What could be cpu/memory requirements difference for 100Mbps traffic between ng_netflow and with softflowd?
Thanks in advance for any help.
Senior Network/Security Administrator
Catalin Miclaus
Starcomms Ltd.
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
More information about the freebsd-questions
mailing list