Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 Aug 2005 19:31:16 +0900
From:      Ganbold <ganbold@micom.mng.net>
To:        freebsd-isp@freebsd.org
Subject:   ng_netflow and bridging firewall
Message-ID:  <6.2.1.2.2.20050830193106.035351d0@202.179.0.80>
next in thread | raw e-mail | index | archive | help 
Hi Gleb and all,

I'm newbie to ng_netflow and I'm trying to collect Netflow traffic from 
FreeBSD 5.4 machine. Collector (flow-tools) runs on same machine.
This FreeBSD has 3 interfaces and it acts as bridging firewall using IPFW2.
It also uses dummynet.

host# ifconfig
xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
         options=9<RXCSUM,VLAN_MTU>
         ether 00:10:5a:5b:e5:e3
         media: Ethernet 100baseTX <full-duplex>
         status: active
xl1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
         options=9<RXCSUM,VLAN_MTU>
         ether 00:04:76:dc:7f:d1
         media: Ethernet 100baseTX <full-duplex>
         status: active
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         inet x.x.x.x netmask 0xffffffe0 broadcast x.x.x.x
         ether 00:0b:6a:24:f6:ab
         media: Ethernet autoselect (100baseTX <full-duplex>)
         status: active

I'm running ng_netflow module and ngctl with following parameters:

ngctl mkpeer xl1: tee lower right
ngctl connect xl1: xl1:lower upper left
ngctl name xl1:lower xl1_tee
ngctl mkpeer xl1_tee: netflow left2right iface0
ngctl name xl1:lower.left2right netflow
ngctl connect xl1_tee: netflow: right2left iface1
ngctl msg netflow: setifindex { iface=0 index=2 }
ngctl msg netflow: setifindex { iface=1 index=1 }
ngctl mkpeer netflow: ksocket export inet/dgram/udp
ngctl msg netflow:export connect inet/127.0.0.1:8818

I'm just using second xl1 interface for ng_netflow. However when I see the 
flow data I can only see my network addresses in
the dstIP field. Is it correct? I thought both srcIP, dstIP should contain 
my IPs,  because I'm trying to catch traffic which goes both directions of 
xl1. Is my assumption correct? If I'm wrong, how to make it work in correct 
way?

Another issue is firewall dynamic rules count almost doubles when starts 
ng_netflow traffic. Is it correct?
How can I fix this?

Also how can I include first interface xl0 to the ng_netflow configuration?

I appreciate if somebody can give me some hint and advice.
It would be great if someone can share configuration samples.

thanks in advance,

Ganbold

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.1.2.2.20050830193106.035351d0>