From owner-freebsd-questions@FreeBSD.ORG  Thu Dec  6 18:08:02 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D216B16A469
	for <freebsd-questions@freebsd.org>;
	Thu,  6 Dec 2007 18:08:02 +0000 (UTC)
	(envelope-from sh1nny_kn1ght@yahoo.com)
Received: from n8.bullet.re3.yahoo.com (n8.bullet.re3.yahoo.com
	[68.142.237.93])
	by mx1.freebsd.org (Postfix) with SMTP id 83D2113C4D3
	for <freebsd-questions@freebsd.org>;
	Thu,  6 Dec 2007 18:08:02 +0000 (UTC)
	(envelope-from sh1nny_kn1ght@yahoo.com)
Received: from [68.142.237.90] by n8.bullet.re3.yahoo.com with NNFMP;
	06 Dec 2007 17:54:08 -0000
Received: from [216.252.122.218] by t6.bullet.re3.yahoo.com with NNFMP;
	06 Dec 2007 17:54:07 -0000
Received: from [69.147.65.152] by t3.bullet.sp1.yahoo.com with NNFMP;
	06 Dec 2007 17:54:07 -0000
Received: from [127.0.0.1] by omp400.mail.sp1.yahoo.com with NNFMP;
	06 Dec 2007 17:54:07 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 544482.99714.bm@omp400.mail.sp1.yahoo.com
Received: (qmail 47396 invoked by uid 60001); 6 Dec 2007 17:54:07 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;
	b=Z8CzE47A4LjBks2aXVG/DwepIipO6ZOYR5hNZ617ZUvItEI4SCz0+iJ2uCbIPNrbdBlGLXdTPk4mrbYkR1ct+AY8YCUZbwavIkM13/kIU99222how4xCrU/XB/ELkpgQo05wWCv/FW7EtAko9Nf1AVALSDn72e4hMV208/WKpho=;
X-YMail-OSG: RfHgaSUVM1nT2qKscFKzLfC1bduq1GRoGi3gHCQp
Received: from [41.219.203.26] by web44801.mail.sp1.yahoo.com via HTTP;
	Thu, 06 Dec 2007 09:54:07 PST
Date: Thu, 6 Dec 2007 09:54:07 -0800 (PST)
From: shinny knight <sh1nny_kn1ght@yahoo.com>
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Message-ID: <344091.46867.qm@web44801.mail.sp1.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: ng_netflow on PF + CARP firewall question
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2007 18:08:02 -0000

Hello all,
   
  I'm trying to use ng_netflow module along with PF+CARP implementation on freebsd 6.2.
  I understand from different posts that ng_netflow module is performing quite well and does not add so much cpu load since packets are processed in the kernel.
  However, ng_netflow documentation is very confusing for begginers and I'm having a hard time to figure it out.
   
  Like mentioned before, I have PF+CARP implementation along with /usr/ports/net/ifstated port. This part is tested and is working fine. (If anybody wants advice here feel free to ask:) )
   
  I'm wonder if it's a good ideea to add ng_netflow on top of it or should I use an additional system with TAP interface and just mirror incoming/outgoing traffic from switch.
   
  This is what I want to try for ng_netflow:
   
  cat /boot/loader.conf
   
  ng_ether_load="YES"
ng_ksocket_load="YES"
ng_tee_load="YES"
  ng_socket_load="YES"
ng_netflow_load="YES"
   
  cat /etc/rc.conf |grep ng
   
  ng_netflow_enable="YES"
   
   
  cat /usr/local/etc/rc.d/ng_netflow
   
  #!/bin/sh
#
  # PROVIDE: ng_netflow
# REQUIRE: DAEMON
  . /etc/rc.subr
   
  name="ng_netflow"
rcvar=`set_rcvar`
   
  ng_netflow_start()

  {
    echo "Starting ${name}."
      /usr/sbin/ngctl -f- <<-SEQ
   
          mkpeer bge2: tee lower right
        connect bge2: bge2:lower upper left
        name bge2:lower bge2_tee
        mkpeer bge2_tee: netflow left2right iface0
        name bge2:lower.left2right netflow
        connect bge2_tee: netflow: right2left iface1
        msg netflow: setifindex { iface=0 index=2 }
        msg netflow: setifindex { iface=1 index=1 }
        mkpeer netflow: ksocket export inet/dgram/udp
        msg netflow:export connect inet/127.0.0.1:8818
   
          mkpeer bge1: tee lower right
        connect bge1: bge1:lower upper left
        name bge1:lower bge1_tee
        mkpeer bge1_tee: netflow left2right iface2
        name bge1:lower.left2right netflow0
        msg netflow0: setifindex { iface=2 index=4 }
        connect bge1_tee: netflow0: right2left iface3
        msg netflow0: setifindex { iface=3 index=3 }
        mkpeer netflow0: ksocket export inet/dgram/udp
        msg netflow0:export connect inet/127.0.0.1:8818
   
  SEQ
}
   
  ng_netflow_stop()
{
    echo "Stopping ${name}."
      /usr/sbin/ngctl -f- <<-SEQ
        shutdown netflow:
SEQ
}
   
  start_cmd="ng_netflow_start"
stop_cmd="ng_netflow_stop"
   
  load_rc_config $name
   
  : ${ng_netflow_enable="NO"}
   
  run_rc_command "$1"
   
  As can be seen from above script I'm planning sending packets on localhost port 8818 first.
  Is the above configuration correct?
   
  It will affect in any way PF+CARP implementation regardging the fact that I'm not using CARP inetrfaces with ng_netflow but physical ones like bge1 and bge2? (I want to mention here that I'm not planning using ng_netflow on pf_sync interface)
   
  Should I stick with solutions from ports like softflowd & similar?
   
  What could be cpu/memory requirements difference for 100Mbps traffic between ng_netflow and with softflowd?
   
   
   
   
   
  Thanks in advance for any help.
   
   
   
  Senior Network/Security Administrator
  Catalin Miclaus
   
  Starcomms Ltd.
   

       
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.