traffic accounting

Siavosh Benabbas sbenabas at gmail.com
Sun Mar 20 12:38:11 PST 2005 

Hi,
If you haven't figured it out yet, every packet on the $int_if gets matched by 
pass quick on $int_if all
as you have put the quick keyword the rest of the ruleset is not seen and your 
pass in  on $int_if from $soh to any keep state label "$srcaddr:: "
rule is never matched. To solve the problem you should change the
first rule to "pass on $int_if all". Note that your rules is not a
default deny one, it is recommended to put a "drop on $int_if all"
first and then selectively pass what you need.
Regards,
Siavosh Benabbas

On Fri, 18 Mar 2005 15:48:57 +0200, stephen <dinzdale at gmail.com> wrote:
> On Fri, 18 Mar 2005 14:02:50 +0100, Max Laier <max at love2party.net> wrote:
> > On Friday 18 March 2005 12:41, stephen wrote:
> > > Having a little difficulty regarding traffic counting.
> > >
> > > I have a macro ($soh) with about 30 IPs in it.. The first problem I
> > > was having was that:
> > > pass out on $ext_if from $soh to any keep state label "$srcaddr:: "
> > > was not passing traffic. (nat changing source address before reaching
> > > filtering rules)
> > >
> > > Someone then recommended having the following instead:
> > > pass in  on $int_if from $soh to any keep state label "$srcaddr:: "
> > > pass out on $ext_if from any to any keep state label "total::  "
> > >
> > > which is now letting traffic out with the pass out rule, but the pass
> > > in rule is not counting traffic... whenever doing "pftcl -sl" I can
> > > see the "total::" label rising as more bandwidth is used, but all the
> > > other labels for all the private IPs remain on zero.
> >
> > Generally speaking, I'd think that there is a error in your ruleset that
> > prevents this rule from being evaluated.  Use $pfctl -vsr and check if the
> > rule(s) match at all.  If you are dealing with 10+ IPs I'd also suggest to
> > look at tables.  They are not only quicker (by an order of magnitude) but
> > also provide per IP counters for traffic that might just give you what you
> > want.  See the FAQ for details on tables.
> 
> that's exactly what I'm after, the reason I used a macro was when i
> did # pfctl -sl I was just getting <soh> 0 0 0, the table wasnt
> expanding   (changed form ipf to pf recently, so I'm a lil new to
> things such as tables)
> 
> > > I did get a step closer earlier this morning...  Managed to count
> > > traffic from the source addresses 100%, but I couldn't account for the
> > > web traffic (which is 80% of the traffic) as I have a rdr rule that
> > > redirects all traffic for port 80 via localhost port 3128 to
> > > proxy/cache webpages.
> >
> > In any case the traffic must come in from the local side first (as I think
> > that you are only dealing with connections initiated from the clients you are
> > accounting for).  This traffic can always be filtered and accounted for.
> 
> yes, but because of the two rules
> > > pass in  on $int_if from $soh to any keep state label "$srcaddr:: "
> > > pass out on $ext_if from any to any keep state label "total::  "
> and the last match win story.. i think it by passes the first rule and
> traffic goes out on the second
> 
> > > Could someone possibly help rectify this?
> > > (they are also the last rules in the ruleset so the "last match wins"
> > > is correct)
> >
> > "quick" might mess you up?  Please post your *complete* ruleset when you want
> > help debugging it.  It's only fishing in the dark if you don't give details.
> > Obfuscate your static IP if you think you have to, but post the complete
> > thing or people are not able to help.
> 
> yeah thats what i thought, quick is going to stop traffic going out
> same as when I was doing:
>   pass out on $ext_if from $soh to any keep state label "$srcaddr:: "
> it wasnt passing traffic at all.   I suspect because of the nat rule
> (and seeing as nat is done before filtering) it was converting the
> private IPs into the live IP and wouldnt let it go out.
> 
> heres the ruleset:
> 
> # macros
> int_if = "rl0"
> ext_if = "tun0"
> gif_if = "gif3"
> 
> tcp_services_in = "{ 21, 25, 110, 2222, 113 }"
> tcp_services_out = "{ 21, 22, 25, 53, 80, 110, 6667 }"
> udp_services_in = "{ 53 }"
> udp_services_out = "{ 53 }"
> icmp_types = "echoreq"
> 
> p2p_ports = " { 6346 }"
> p2p_clients = "{ $studio, $stephen }"
> studio = "{ x.x.x.5 , x.x.x.11 , x.x.x.12 }"
> stephen = "x.x.x.23"
> 
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
> 
> #table <soh> persist file "/etc/soh_hosts"
> 
> soh ="{ x.x.x.1 , x.x.x.2 , x.x.x.3 , x.x.x.4 , x.x.x.5 , x.x.x.6 ,
> x.x.x.7 , x.x.x.8 , x.x.x.9 , x.x.x.10 , x.x.x.11 , x.x.x.12 ,
> x.x.x.13 , x.x.x.14 , x.x.x.15 , x.x.x.16 , x.x.x.17 , x.x.x.18 ,
> x.x.x.19 , x.x.x.20 , x.x.x.21 , 10.0.88.22 , x.x.x.23 , x.x.x.24 ,
> x.x.x.25 , x.x.x.26 , x.x.x.27 , x.x.x.28 , x.x.x.29 , x.x.x.30 }"
> 
> # comp3 = "x.x.x.x"
> 
> # options
> set block-policy return
> set loginterface $ext_if
> set fingerprints "/etc/pf.os"
> 
> # scrub
> scrub in all
> 
> # nat/rdr
> #nat on $ext_if from $int_if:network to any -> ($ext_if)
> rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128
> 
> # rdr on $ext_if proto tcp from any to any port 80 -> $comp3
> 
> # filter rules
> block log all
> 
> pass quick on lo0 all
> pass quick on $int_if all
> 
> # anti spoofing protection for internal interface
> antispoof quick for $int_if inet
> antispoof quick for $ext_if inet
> antispoof quick for lo0
> 
> pass in  on $ext_if inet proto tcp from any to { $int_if, ($ext_if) }
> port $tcp_services_in flags S/SA keep state
> 
> pass in  on $ext_if inet proto tcp from port 20 to ($ext_if) user
> proxy flags S/SA keep state
> 
> pass in  on $gif_if all
> pass out on $gif_if all
> 
> pass in  on $int_if from $soh to any keep state label "$srcaddr:: "
> pass out on $ext_if from any to any keep state label "total::  "
> 
> once I've got the counting working as I want it too (cause I'll do a
> pfctl -sl and have the output mailed to me daily and reset the
> counter), I'll start bringing the $tcp_services_out into play to
> restrict access a bit more.
> 
> 
> Thanks,
> Stephen
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list