From owner-freebsd-net  Tue Mar  4 17:34:43 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7EBED37B401
	for <freebsd-net@freebsd.org>; Tue,  4 Mar 2003 17:34:42 -0800 (PST)
Received: from ints.mail.pike.ru (ints.mail.pike.ru [195.9.45.194])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D8E2343FBF
	for <freebsd-net@freebsd.org>; Tue,  4 Mar 2003 17:34:40 -0800 (PST)
	(envelope-from babolo@cicuta.babolo.ru)
Received: (qmail 87964 invoked from network); 5 Mar 2003 01:51:50 -0000
Received: from babolo.ru (HELO cicuta.babolo.ru) (194.58.226.160)
  by ints.mail.pike.ru with SMTP; 5 Mar 2003 01:51:50 -0000
Received: (nullmailer pid 1188 invoked by uid 136);
	Wed, 05 Mar 2003 01:36:50 -0000
Subject: Re: counting firewall traffic on a second machine
X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1
In-Reply-To: <20030304021141.C49939-100000@mail.econolodgetulsa.com>
To: Josh Brooks <user@mail.econolodgetulsa.com>
Date: Wed, 5 Mar 2003 04:36:49 +0300 (MSK)
From: "."@babolo.ru
Cc: freebsd-net@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL99b (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Message-Id: <1046828210.004291.1187.nullmailer@cicuta.babolo.ru>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

> I used to have a firewall with ipfw count rules in place for every IP I
> had.  This worked fine, but it gave me a 2000+ ruleset that would cause
> cpu to skyrocket under even the lightest of DoS attacks.
> 
> So, I have plugged in another system on the DMZ and plan to count from
> there.
> 
> In the most basic sense, I am thinking of sniffing trafficon this second
> machine and counting via that mechanism.
> 
> Is this a common setup - counting traffic on a second machine that the
> traffic does not even flow through ?  If so, is ipfw count rules used on
> the counting machine, or is there a better tool for counting per-IP
> traffic on a secondary system like this ?
> 
> Any suggestions are appreciated.  i will be using MRTG to show the stats,
> but again, the actual gathering / counting method I will use i am not sure
> of ... was planning on using ipfw count rules, but thought I would ask.
> 
> And I am not sure of how to sniff traffic and pass it to ipfw to count ..
> so perhaps ipfw is not involved at all...
Use of specialised account tools is better.

I use ports/net/argus with some postprocessing,
but it is not simpliest way.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message