From owner-freebsd-questions@FreeBSD.ORG Fri Dec 17 18:29:05 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58B7316A4CE for ; Fri, 17 Dec 2004 18:29:05 +0000 (GMT) Received: from mail-relay4.mirrorimage.net (mail-relay4.mirrorimage.net [209.58.140.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A76843D5E for ; Fri, 17 Dec 2004 18:29:05 +0000 (GMT) (envelope-from FreeBSD@keyslapper.org) Received: from localhost (unknown [10.10.4.59]) by mail-relay4.mirrorimage.net (Postfix) with SMTP id 5516B69313 for ; Fri, 17 Dec 2004 13:29:04 -0500 (EST) Received: by localhost (sSMTP sendmail emulation); Fri, 17 Dec 2004 13:29:09 -0500 Date: Fri, 17 Dec 2004 13:29:09 -0500 From: Louis LeBlanc To: freebsd-questions@freebsd.org Message-ID: <20041217182908.GA50057@keyslapper.org> Mail-Followup-To: freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.6i Subject: Re: "ipfw count" equivalent for pf X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Dec 2004 18:29:05 -0000 On 12/16/04 11:57 AM, patrick sat at the `puter and typed: > Hi there, > > Now that FreeBSD 5.x has pf from OpenBSD, I'm wondering if some of the > pf experts can help me with porting a simple ipfw configuration from > FreeBSD 4.x to pf in FreeBSD 5.x. > > On our 4.x servers, we have several rules like: > > ipfw add count ip from any to x.x.x.x > ipfw add count ip from x.x.x.x to any > > ... to keep track of how much traffic is going through a particular IP > address. Every night, I capture the data and zero the counters. > > Using pf, I'm having a difficult time how to establish a similar > ruleset so that I can gather the same sort of data. Someone on the > openbsd-misc list told me to "add labels to those rules you want to > account traffic on and use `pdfctl -sl` to read their counters." The > problem is that I'm not sure how to describe the rules using pf. I > suppose the rules should just pass all traffic to and from my external > interface, but from all the pf documentation I've read, I can't find > an example that seems to do this for me. > > Can any experts lend a hand here? It seems like this should be > dead-easy to do, but like many things from the OpenBSD world, it does > not seem to straight-forward to me. Well, if a novice (more like a beginner) will do, here's something I've found very useful: http://www.openbsd.org/faq/pf/index.html And to answer your specific question, from http://www.openbsd.org/faq/pf/config.html I've used some of these: -------- Control After boot, PF operation can be managed using the pfctl(8) program. Some example commands are: # pfctl -f /etc/pf.conf loads the pf.conf file # pfctl -nf /etc/pf.conf parse the file, but don't load it # pfctl -Nf /etc/pf.conf Load only the NAT rules from the file # pfctl -Rf /etc/pf.conf Load only the filter rules from the file # pfctl -sn Show the current NAT rules # pfctl -sr Show the current filter rules # pfctl -ss Show the current state table # pfctl -si Show filter stats and counters # pfctl -sa Show EVERYTHING it can show For a complete list of commands, please see the pfctl(8) man page. -------- HTH. It certainly seems like changing nat and firewall rules on the fly are easier with pf. As I read and played with it, it seems to be much easier, particularly when using tables and lists. I still have some tweaking to do in my own pf.conf, but it's definitely cool. Lou -- Louis LeBlanc FreeBSD@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Oliver's Law: Experience is something you don't get until just after you need it.