From owner-freebsd-pf@FreeBSD.ORG Sun Mar 20 20:38:11 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2C0316A4CE for ; Sun, 20 Mar 2005 20:38:11 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BD4443D46 for ; Sun, 20 Mar 2005 20:38:11 +0000 (GMT) (envelope-from sbenabas@gmail.com) Received: by rproxy.gmail.com with SMTP id 1so272552rny for ; Sun, 20 Mar 2005 12:38:10 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=htpqeaIuDuEj++h+uwYFqNMGAT43s4nddNuJkFwW6/rIcrIo0ZsnZzGKAmSTTybvbipIDHoaSvuj+R+I9ErrQpHE3n6VVJ1xEiAaUFcwqRFj8wz260qrwd+PhuLMw3em5Kmcu0zGGWR8svY4K0cD+BgFCWWwxzxTlM8Iqvem60U= Received: by 10.38.206.58 with SMTP id d58mr1504334rng; Sun, 20 Mar 2005 12:38:10 -0800 (PST) Received: by 10.38.8.28 with HTTP; Sun, 20 Mar 2005 12:38:10 -0800 (PST) Message-ID: <32d8477c05032012381e95335c@mail.gmail.com> Date: Mon, 21 Mar 2005 00:08:10 +0330 From: Siavosh Benabbas To: stephen In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <200503181403.02521.max@love2party.net> cc: freebsd-pf@freebsd.org Subject: Re: traffic accounting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Siavosh Benabbas List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Mar 2005 20:38:11 -0000 Hi, If you haven't figured it out yet, every packet on the $int_if gets matched by pass quick on $int_if all as you have put the quick keyword the rest of the ruleset is not seen and your pass in on $int_if from $soh to any keep state label "$srcaddr:: " rule is never matched. To solve the problem you should change the first rule to "pass on $int_if all". Note that your rules is not a default deny one, it is recommended to put a "drop on $int_if all" first and then selectively pass what you need. Regards, Siavosh Benabbas On Fri, 18 Mar 2005 15:48:57 +0200, stephen wrote: > On Fri, 18 Mar 2005 14:02:50 +0100, Max Laier wrote: > > On Friday 18 March 2005 12:41, stephen wrote: > > > Having a little difficulty regarding traffic counting. > > > > > > I have a macro ($soh) with about 30 IPs in it.. The first problem I > > > was having was that: > > > pass out on $ext_if from $soh to any keep state label "$srcaddr:: " > > > was not passing traffic. (nat changing source address before reaching > > > filtering rules) > > > > > > Someone then recommended having the following instead: > > > pass in on $int_if from $soh to any keep state label "$srcaddr:: " > > > pass out on $ext_if from any to any keep state label "total:: " > > > > > > which is now letting traffic out with the pass out rule, but the pass > > > in rule is not counting traffic... whenever doing "pftcl -sl" I can > > > see the "total::" label rising as more bandwidth is used, but all the > > > other labels for all the private IPs remain on zero. > > > > Generally speaking, I'd think that there is a error in your ruleset that > > prevents this rule from being evaluated. Use $pfctl -vsr and check if the > > rule(s) match at all. If you are dealing with 10+ IPs I'd also suggest to > > look at tables. They are not only quicker (by an order of magnitude) but > > also provide per IP counters for traffic that might just give you what you > > want. See the FAQ for details on tables. > > that's exactly what I'm after, the reason I used a macro was when i > did # pfctl -sl I was just getting 0 0 0, the table wasnt > expanding (changed form ipf to pf recently, so I'm a lil new to > things such as tables) > > > > I did get a step closer earlier this morning... Managed to count > > > traffic from the source addresses 100%, but I couldn't account for the > > > web traffic (which is 80% of the traffic) as I have a rdr rule that > > > redirects all traffic for port 80 via localhost port 3128 to > > > proxy/cache webpages. > > > > In any case the traffic must come in from the local side first (as I think > > that you are only dealing with connections initiated from the clients you are > > accounting for). This traffic can always be filtered and accounted for. > > yes, but because of the two rules > > > pass in on $int_if from $soh to any keep state label "$srcaddr:: " > > > pass out on $ext_if from any to any keep state label "total:: " > and the last match win story.. i think it by passes the first rule and > traffic goes out on the second > > > > Could someone possibly help rectify this? > > > (they are also the last rules in the ruleset so the "last match wins" > > > is correct) > > > > "quick" might mess you up? Please post your *complete* ruleset when you want > > help debugging it. It's only fishing in the dark if you don't give details. > > Obfuscate your static IP if you think you have to, but post the complete > > thing or people are not able to help. > > yeah thats what i thought, quick is going to stop traffic going out > same as when I was doing: > pass out on $ext_if from $soh to any keep state label "$srcaddr:: " > it wasnt passing traffic at all. I suspect because of the nat rule > (and seeing as nat is done before filtering) it was converting the > private IPs into the live IP and wouldnt let it go out. > > heres the ruleset: > > # macros > int_if = "rl0" > ext_if = "tun0" > gif_if = "gif3" > > tcp_services_in = "{ 21, 25, 110, 2222, 113 }" > tcp_services_out = "{ 21, 22, 25, 53, 80, 110, 6667 }" > udp_services_in = "{ 53 }" > udp_services_out = "{ 53 }" > icmp_types = "echoreq" > > p2p_ports = " { 6346 }" > p2p_clients = "{ $studio, $stephen }" > studio = "{ x.x.x.5 , x.x.x.11 , x.x.x.12 }" > stephen = "x.x.x.23" > > priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" > > #table persist file "/etc/soh_hosts" > > soh ="{ x.x.x.1 , x.x.x.2 , x.x.x.3 , x.x.x.4 , x.x.x.5 , x.x.x.6 , > x.x.x.7 , x.x.x.8 , x.x.x.9 , x.x.x.10 , x.x.x.11 , x.x.x.12 , > x.x.x.13 , x.x.x.14 , x.x.x.15 , x.x.x.16 , x.x.x.17 , x.x.x.18 , > x.x.x.19 , x.x.x.20 , x.x.x.21 , 10.0.88.22 , x.x.x.23 , x.x.x.24 , > x.x.x.25 , x.x.x.26 , x.x.x.27 , x.x.x.28 , x.x.x.29 , x.x.x.30 }" > > # comp3 = "x.x.x.x" > > # options > set block-policy return > set loginterface $ext_if > set fingerprints "/etc/pf.os" > > # scrub > scrub in all > > # nat/rdr > #nat on $ext_if from $int_if:network to any -> ($ext_if) > rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128 > > # rdr on $ext_if proto tcp from any to any port 80 -> $comp3 > > # filter rules > block log all > > pass quick on lo0 all > pass quick on $int_if all > > # anti spoofing protection for internal interface > antispoof quick for $int_if inet > antispoof quick for $ext_if inet > antispoof quick for lo0 > > pass in on $ext_if inet proto tcp from any to { $int_if, ($ext_if) } > port $tcp_services_in flags S/SA keep state > > pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user > proxy flags S/SA keep state > > pass in on $gif_if all > pass out on $gif_if all > > pass in on $int_if from $soh to any keep state label "$srcaddr:: " > pass out on $ext_if from any to any keep state label "total:: " > > once I've got the counting working as I want it too (cause I'll do a > pfctl -sl and have the output mailed to me daily and reset the > counter), I'll start bringing the $tcp_services_out into play to > restrict access a bit more. > > > Thanks, > Stephen > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >