OpenBSD's pf and traffic
Eugene M. Minkovskii
emin at mccme.ru
Mon Mar 21 01:43:18 PST 2005
On Mon, Mar 21, 2005 at 08:54:35AM +0100, Peter N. M. Hansteen wrote:
" "Eugene M. Minkovskii" <emin at mccme.ru> writes:
"
" > block in log on $ext_ip inet from any to $ext_ip label $ext_ip
" > pass in on $ext_ip inet from any to $ext_ip port 22 keep sate
" >
" > As you can see, ssh packets match to all rule and pass in because
" > last rule win. Does it mean, that I can't see ssh's packet using
" > command
" > # pfctl -sl
"
" here you label the blocked packets but not the ones you pass, which
" means your ssh packets would count toward the packets passed counter only.
"
" > And if I use
" >
" > block in log on $ext_ip inet from any to $ext_ip label $ext_ip
" > pass in on $ext_ip inet from any to $ext_ip port 22 keep sate label $ext_ip
" >
" > ... I see label twice ?
"
" No. But both rules would increment the $ext_ip counter, which means that
" your $ext_ip counter would be essentially packet totals. Last matching
" rule wins (with state instead of sate it would work), so each packet
" increments the relevant counters only once.
I was trying some experiments... It seems to me you are right in
all except one: second line don't increase $ext_ip counter,
but... add other counter with same name:
# pfctl -sr | grep label
block in log on $ext_if inet from any to $ext_if label $ext_if
block in log quick on $ext_if inet from <crackers> to $ext_if label $ext_if
pass in on $ext_if inet proto tcp from any to $ext_if port = ssh flags S/SA keep state label $ext_if
pass in on $ext_if inet proto tcp from any to $ext_if port = smtp flags S/SA keep state label $ext_if
pass in on $ext_if inet proto tcp from any to $ext_if port = auth flags S/SA keep state label $ext_if
pass in on $ext_if inet proto tcp from any port = ftp-data to $ext_if user = 62 flags S/SA keep state label $ext_if
# pfctl -vsl
rl0 48703 10 936
rl0 26095 0 0
rl0 25845 776 81479
rl0 29 25 2952
rl0 29 0 0
rl0 29 0 0
But, of course, this output is "scriptable". (I can sum this
numbers in pyhon or bc)
" > Perhaps you know where I can find workable example of this?
"
" Randal Schwartz has a nice article called "Monitoring Net Traffic with
" OpenBSD's Packet Filter" at http://www.samag.com/documents/s=9053/sam0403j/0403j.htm
"
Thanks
--
Sensory yours, Eugene Minkovskii
Сенсорно ваш, Евгений Миньковский
More information about the freebsd-questions
mailing list