From owner-freebsd-ipfw@FreeBSD.ORG  Thu Sep  1 04:02:12 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F17AF16A41F;
	Thu,  1 Sep 2005 04:02:11 +0000 (GMT)
	(envelope-from ganbold@micom.mng.net)
Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1993343D45;
	Thu,  1 Sep 2005 04:02:11 +0000 (GMT)
	(envelope-from ganbold@micom.mng.net)
Received: from [202.179.0.164] (helo=ganbold.micom.mng.net)
	by publicd.ub.mng.net with esmtpa (Exim 4.43 (FreeBSD))
	id 1EAgdJ-000JIC-6l; Thu, 01 Sep 2005 13:25:01 +0900
Message-Id: <6.2.1.2.2.20050901125645.0357d9e0@202.179.0.80>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2
Date: Thu, 01 Sep 2005 13:02:01 +0900
To: Gleb Smirnoff <glebius@FreeBSD.org>
From: Ganbold <ganbold@micom.mng.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Cc: freebsd-ipfw@freebsd.org
Subject: Re: ng_netflow and bridging firewall
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2005 04:02:12 -0000

Gleb,

I also tried to create graph like following way:

ngctl mkpeer xl1: tee lower left
ngctl connect xl1: xl1:lower upper right
ngctl mkpeer xl1:lower one2many left2right many0
ngctl connect xl1:lower.left2right xl1:lower many1 right2left
ngctl name xl1:lower.right2left o2m
ngctl mkpeer o2m: netflow one iface0
ngctl name o2m:one netflow
ngctl mkpeer netflow: ksocket export inet/dgram/udp
ngctl msg netflow:export connect inet/127.0.0.1:8818

I got above from http://www.unix.lviv.ua/index_rus.html?art/nf.html site.

Right after it firewall didn't work again. How can I solve this problem?
I don't know yet why ipfw started not to work.  Is this bug of ipfw or 
something else?

thanks,

Ganbold


At 06:28 PM 8/31/2005, you wrote:
>On Wed, Aug 31, 2005 at 05:50:21PM +0900, Ganbold wrote:
>G> At 08:10 PM 8/30/2005, you wrote:
>G> >On Tue, Aug 30, 2005 at 07:30:09PM +0900, Ganbold wrote:
>G> >G> ngctl mkpeer xl1: tee lower right
>G> >G> ngctl connect xl1: xl1:lower upper left
>G> >G> ngctl name xl1:lower xl1_tee
>G> >G> ngctl mkpeer xl1_tee: netflow left2right iface0
>G> >G> ngctl name xl1:lower.left2right netflow
>G> >G> ngctl connect xl1_tee: netflow: right2left iface1
>G> >G> ngctl msg netflow: setifindex { iface=0 index=2 }
>G> >G> ngctl msg netflow: setifindex { iface=1 index=1 }
>G> >G> ngctl mkpeer netflow: ksocket export inet/dgram/udp
>G> >G> ngctl msg netflow:export connect inet/127.0.0.1:8818
>G> >G>
>G> >G> I'm just using second xl1 interface for ng_netflow. However when I see
>G> >the
>G> >G> flow data I can only see my network addresses in
>G> >G> the dstIP field. Is it correct? I thought both srcIP, dstIP should
>G> >contain
>G> >G> my IPs,  because I'm trying to catch traffic which goes both 
>directions
>G> >of
>G> >G> xl1. Is my assumption correct? If I'm wrong, how to make it work in
>G> >correct
>G> >G> way?
>G> >
>G> >No. Look at ng_ether(4) manpage, and draw your graph. You are catching 
>only
>G> >one direction with the above script.
>G>
>G> OK. I see. I'm catching only incoming traffic to xl1 interface.
>G> I can see it from ngctl issuing msg xl1_tee: getstats command and also
>G> flowctl netflow: show command.
>G>
>G> I read the ng_ether man page and didn't quite get it.
>G>
>G> I'm including xl0 interface in similar way as xl1.
>G> Is following sufficient for catching outgoing traffic?
>G>
>G> ngctl mkpeer xl0: tee lower right
>G> ngctl connect xl0: xl0:lower upper left
>G> ngctl name xl0:lower xl0_tee
>G> ngctl mkpeer xl0_tee: netflow left2right iface2
>G> ngctl name xl0:lower.left2right netflow0
>G> ngctl msg netflow0: setifindex { iface=2 index=4 }
>G> ngctl connect xl0_tee: netflow0: right2left iface3
>G> ngctl msg netflow0: setifindex { iface=3 index=3 }
>G> ngctl mkpeer netflow0: ksocket export inet/dgram/udp
>G> ngctl msg netflow0:export connect inet/127.0.0.1:8818
>
>Looks like correct.
>
>G> The graph is something like:
>G>
>G>         ng_ether
>G> upper   |               |lower
>G> left    |       |right
>G>           ng_tee
>G> right2left|     |left2right
>G> iface0    |     |iface1
>G>          ng_netflow
>G>
>G> Maybe I did something wrong. How should I do it in right way?
>G> I googled and didn't find good source/samples of ng_netflow.
>G>
>G> thanks in advance,
>G>
>G> Ganbold
>G>
>G>
>
>--
>Totus tuus, Glebius.
>GLEBIUS-RIPN GLEB-RIPE
>_______________________________________________
>freebsd-isp@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"