OpenBSD's pf and traffic

Eugene M. Minkovskii emin at mccme.ru
Mon Mar 21 01:43:18 PST 2005


On Mon, Mar 21, 2005 at 08:54:35AM +0100, Peter N. M. Hansteen wrote:
" "Eugene M. Minkovskii" <emin at mccme.ru> writes:
" 
" > block in log on $ext_ip inet from any to $ext_ip label $ext_ip
" > pass  in     on $ext_ip inet from any to $ext_ip port 22 keep sate
" >
" > As you can see, ssh packets match to all rule and pass in because
" > last rule win. Does it mean, that I can't see ssh's packet using
" > command
" > # pfctl -sl
" 
" here you label the blocked packets but not the ones you pass, which
" means your ssh packets would count toward the packets passed counter only.
" 
" > And if I use
" >
" > block in log on $ext_ip inet from any to $ext_ip label $ext_ip
" > pass  in     on $ext_ip inet from any to $ext_ip port 22 keep sate label $ext_ip
" >
" > ... I see label twice ?
" 
" No. But both rules would increment the $ext_ip counter, which means that
" your $ext_ip counter would be essentially packet totals. Last matching
" rule wins (with state instead of sate it would work), so each packet
" increments the relevant counters only once.

I was trying some experiments... It seems to me you are right in
all except one: second line don't increase $ext_ip counter,
but...  add other counter with same name:

# pfctl -sr | grep label
block in log on $ext_if inet from any to $ext_if label $ext_if
block in log quick on $ext_if inet from <crackers> to $ext_if label $ext_if
pass in on $ext_if inet proto tcp from any to $ext_if port = ssh flags S/SA keep state label $ext_if
pass in on $ext_if inet proto tcp from any to $ext_if port = smtp flags S/SA keep state label $ext_if
pass in on $ext_if inet proto tcp from any to $ext_if port = auth flags S/SA keep state label $ext_if
pass in on $ext_if inet proto tcp from any port = ftp-data to $ext_if user = 62 flags S/SA keep state label $ext_if


# pfctl -vsl
rl0 48703 10 936
rl0 26095 0 0
rl0 25845 776 81479
rl0 29 25 2952
rl0 29 0 0
rl0 29 0 0


But, of course, this output is "scriptable". (I can sum this
numbers in pyhon or bc)


" > Perhaps you know where I can find workable example of this?
" 
" Randal Schwartz has a nice article called "Monitoring Net Traffic with
" OpenBSD's Packet Filter" at http://www.samag.com/documents/s=9053/sam0403j/0403j.htm
" 

Thanks


-- 
Sensory  yours, Eugene  Minkovskii
Сенсорно ваш,   Евгений Миньковский


More information about the freebsd-questions mailing list