traffic accounting

stephen dinzdale at gmail.com
Fri Mar 18 05:48:58 PST 2005 

On Fri, 18 Mar 2005 14:02:50 +0100, Max Laier <max at love2party.net> wrote:
> On Friday 18 March 2005 12:41, stephen wrote:
> > Having a little difficulty regarding traffic counting.
> >
> > I have a macro ($soh) with about 30 IPs in it.. The first problem I
> > was having was that:
> > pass out on $ext_if from $soh to any keep state label "$srcaddr:: "
> > was not passing traffic. (nat changing source address before reaching
> > filtering rules)
> >
> > Someone then recommended having the following instead:
> > pass in  on $int_if from $soh to any keep state label "$srcaddr:: "
> > pass out on $ext_if from any to any keep state label "total::  "
> >
> > which is now letting traffic out with the pass out rule, but the pass
> > in rule is not counting traffic... whenever doing "pftcl -sl" I can
> > see the "total::" label rising as more bandwidth is used, but all the
> > other labels for all the private IPs remain on zero.
> 
> Generally speaking, I'd think that there is a error in your ruleset that
> prevents this rule from being evaluated.  Use $pfctl -vsr and check if the
> rule(s) match at all.  If you are dealing with 10+ IPs I'd also suggest to
> look at tables.  They are not only quicker (by an order of magnitude) but
> also provide per IP counters for traffic that might just give you what you
> want.  See the FAQ for details on tables.

that's exactly what I'm after, the reason I used a macro was when i
did # pfctl -sl I was just getting <soh> 0 0 0, the table wasnt
expanding   (changed form ipf to pf recently, so I'm a lil new to
things such as tables)

> > I did get a step closer earlier this morning...  Managed to count
> > traffic from the source addresses 100%, but I couldn't account for the
> > web traffic (which is 80% of the traffic) as I have a rdr rule that
> > redirects all traffic for port 80 via localhost port 3128 to
> > proxy/cache webpages.
> 
> In any case the traffic must come in from the local side first (as I think
> that you are only dealing with connections initiated from the clients you are
> accounting for).  This traffic can always be filtered and accounted for.

yes, but because of the two rules
> > pass in  on $int_if from $soh to any keep state label "$srcaddr:: "
> > pass out on $ext_if from any to any keep state label "total::  "
and the last match win story.. i think it by passes the first rule and
traffic goes out on the second

> > Could someone possibly help rectify this?
> > (they are also the last rules in the ruleset so the "last match wins"
> > is correct)
> 
> "quick" might mess you up?  Please post your *complete* ruleset when you want
> help debugging it.  It's only fishing in the dark if you don't give details.
> Obfuscate your static IP if you think you have to, but post the complete
> thing or people are not able to help.

yeah thats what i thought, quick is going to stop traffic going out
same as when I was doing:
  pass out on $ext_if from $soh to any keep state label "$srcaddr:: "
it wasnt passing traffic at all.   I suspect because of the nat rule
(and seeing as nat is done before filtering) it was converting the
private IPs into the live IP and wouldnt let it go out.

heres the ruleset:

# macros
int_if = "rl0"
ext_if = "tun0"
gif_if = "gif3"

tcp_services_in = "{ 21, 25, 110, 2222, 113 }"
tcp_services_out = "{ 21, 22, 25, 53, 80, 110, 6667 }"
udp_services_in = "{ 53 }"
udp_services_out = "{ 53 }"
icmp_types = "echoreq"

p2p_ports = " { 6346 }"
p2p_clients = "{ $studio, $stephen }"
studio = "{ x.x.x.5 , x.x.x.11 , x.x.x.12 }"
stephen = "x.x.x.23"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

#table <soh> persist file "/etc/soh_hosts"

soh ="{ x.x.x.1 , x.x.x.2 , x.x.x.3 , x.x.x.4 , x.x.x.5 , x.x.x.6 ,
x.x.x.7 , x.x.x.8 , x.x.x.9 , x.x.x.10 , x.x.x.11 , x.x.x.12 ,
x.x.x.13 , x.x.x.14 , x.x.x.15 , x.x.x.16 , x.x.x.17 , x.x.x.18 ,
x.x.x.19 , x.x.x.20 , x.x.x.21 , 10.0.88.22 , x.x.x.23 , x.x.x.24 ,
x.x.x.25 , x.x.x.26 , x.x.x.27 , x.x.x.28 , x.x.x.29 , x.x.x.30 }"

# comp3 = "x.x.x.x"

# options
set block-policy return
set loginterface $ext_if
set fingerprints "/etc/pf.os"

# scrub
scrub in all

# nat/rdr
#nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128

# rdr on $ext_if proto tcp from any to any port 80 -> $comp3

# filter rules
block log all

pass quick on lo0 all
pass quick on $int_if all

# anti spoofing protection for internal interface
antispoof quick for $int_if inet
antispoof quick for $ext_if inet
antispoof quick for lo0

pass in  on $ext_if inet proto tcp from any to { $int_if, ($ext_if) }
port $tcp_services_in flags S/SA keep state

pass in  on $ext_if inet proto tcp from port 20 to ($ext_if) user
proxy flags S/SA keep state

pass in  on $gif_if all 
pass out on $gif_if all 

pass in  on $int_if from $soh to any keep state label "$srcaddr:: "
pass out on $ext_if from any to any keep state label "total::  "


once I've got the counting working as I want it too (cause I'll do a
pfctl -sl and have the output mailed to me daily and reset the
counter), I'll start bringing the $tcp_services_out into play to
restrict access a bit more.



Thanks,
Stephen

More information about the freebsd-pf mailing list