Date: Mon, 17 Jan 2005 17:06:46 -0500 From: Chuck Swiger <cswiger@mac.com> To: Andrew Seguin <asegu@borgtech.ca> Cc: freebsd-net@freebsd.org Subject: Re: Network accounting Message-ID: <41EC36F6.7030404@mac.com> In-Reply-To: <20050117214549.4C5DC54A5@borgtech.ca> References: <20050117214549.4C5DC54A5@borgtech.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrew Seguin wrote:
[ ... ]
> I don't understand how this system will allow me to log traffic by-ip
> without addition of 256 rules?
>
> I already have counts of my up & down traffic. Actually, I have a bypass
> rule for 'normal' traffic (web/email/dns/icmp/etc), and then a pipe to
> control bandwidth (mainly because of downloaders). With some scripting, the
> server maintains a csv of in/out/abnormal (in+out). But I criticaly need
> per-ip and highly need per-protocol (major ones at least).
Consider these rules:
ipfw pipe 1 config mask src-ip 0xffffffff buckets 512
ipfw pipe 2 config mask src-ip 0xffffffff buckets 512
ipfw pipe 3 config mask src-ip 0xffffffff buckets 512
ipfw add 10 pipe 1 tcp from 192.168.1.0/24 to any
ipfw add 20 pipe 2 udp from 192.168.1.0/24 to any
ipfw add 30 pipe 3 icmp from 192.168.1.0/24 to any
If you do an "ipfw pipe show", you'll see output like:
00001: unlimited 0 ms 50 sl. 3 queues (512 buckets) droptail
mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
164 ip 192.168.1.6/0 0.0.0.0/0 5 558 0 0 0
172 ip 192.168.1.2/0 0.0.0.0/0 461 30425 0 0 0
174 ip 192.168.1.3/0 0.0.0.0/0 679 38468 0 0 0
00002: unlimited 0 ms 50 sl. 3 queues (512 buckets) droptail
mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
164 ip 192.168.1.6/0 0.0.0.0/0 7 432 0 0 0
170 ip 192.168.1.1/0 0.0.0.0/0 56 7986 0 0 0
172 ip 192.168.1.2/0 0.0.0.0/0 77 5172 0 0 0
00003: unlimited 0 ms 50 sl. 3 queues (512 buckets) droptail
mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
164 ip 192.168.1.6/0 0.0.0.0/0 5 420 0 0 0
170 ip 192.168.1.1/0 0.0.0.0/0 2 168 0 0 0
172 ip 192.168.1.2/0 0.0.0.0/0 26 1988 0 0 0
...after I did a few pings and a non-local traceroute. In other words, you
don't need to create rules for each host, but you would for each protocol. If
you need to break things up more finely, you can also add port #'s to look for
HTTP versus IRC versus whatever, too.
--
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41EC36F6.7030404>