Date: Thu, 26 Jul 2001 17:21:01 +0400 From: "Nickolay A.Kritsky" <nkritsky@internethelp.ru> To: security@FreeBSD.ORG Subject: accounting with ipfw (gid, uid riles) Message-ID: <7167463367.20010726172101@internethelp.ru>
next in thread | raw e-mail | index | archive | help
Hi, all. I am not sure, if my question has something to do with security, but people in this list have some _huge_ amount of ipfw,natd and TCP/IP experience, which they can share with me. :) I have started accounting of ip traffic on my ISP2office gateway. I want to implement this via 'ipfw add count' command, using its 'gid' and 'uid' parameters. I have put some counters: rule 19 is quite simple 00019 count ip from any to any via rl0 it shows me how much packets was seen on interface rl0 (it is my external interface) rule 1010 contains of some rules which should count all traffic generated by the router itself, sorted by uid 01010 count ip from any to 212.113.112.145 via rl0 01010 count ip from 212.113.112.145 to any via rl0 01010 count ip from any to 212.113.112.145 uid nobody via rl0 01010 count ip from any to 212.113.112.145 uid root via rl0 01010 count ip from any to 212.113.112.145 uid httpd via rl0 01010 count ip from any to 212.113.112.145 uid ftp via rl0 01010 count ip from 212.113.112.145 to any uid nobody via rl0 01010 count ip from 212.113.112.145 to any uid root via rl0 01010 count ip from 212.113.112.145 to any uid httpd via rl0 01010 count ip from 212.113.112.145 to any uid ftp via rl0 su-2.03# ipfw show 19 1010 <-------------------------start------------------------> 00019 3215329 1163463543 count ip from any to any via rl0 01010 1118838 920747034 count ip from any to 212.113.112.145 via rl0 01010 1224240 90608036 count ip from 212.113.112.145 to any via rl0 01010 2098 231284 count ip from any to 212.113.112.145 uid nobody via rl0 01010 913617 710773596 count ip from any to 212.113.112.145 uid root via rl0 01010 117 8768 count ip from any to 212.113.112.145 uid httpd via rl0 01010 0 0 count ip from any to 212.113.112.145 uid ftp via rl0 01010 7660 466991 count ip from 212.113.112.145 to any uid nobody via rl0 01010 963148 79260085 count ip from 212.113.112.145 to any uid root via rl0 01010 36 1566 count ip from 212.113.112.145 to any uid httpd via rl0 01010 0 0 count ip from 212.113.112.145 to any uid ftp via rl0 <-------------------------end--------------------------> according to sockstat, the only users that currently have allocated sockets are nobody,httpd,ftp,root - Squid,Apache,ftpd,everything other (in the same order). "Everything other" are mostly sendmail, popper and natd. Here are the questions: why the whole traffic to and from router is 920747034 + 90608036 = 1011355070 but sum of traffic counters sorted by uid are 231284 + 710773596 + 8768 + 0 + 466991 + 79260085 + 1566 + 0 = 790742290 difference is big 1011355070 - 790742290 = 220612780 > 210 Mb where did I make an error, or who is lying to me here: ipfw, sockstat? Did anybody used uid,gid sorting in ipfw, is it reliable? So many questions... Any help is very good. NK ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7167463367.20010726172101>