From owner-freebsd-net@FreeBSD.ORG Mon Jan 17 21:26:34 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1C6316A4CE for ; Mon, 17 Jan 2005 21:26:34 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4864043D49 for ; Mon, 17 Jan 2005 21:26:34 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so130986wri for ; Mon, 17 Jan 2005 13:26:33 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=fEbUIxk3b/0G8Yw5CtCMBWBF5k0jNalLlFYOsDnnl0vGyz+tkuqQZsXZsnoIXd4n3/knHxneIAX+im8al3k4GzYkdoW+++ifSO2Dv0ffEEyc16LCTGDBqLcZJfoqKD2qC9PSJIo8ojDPvBo22/t6JukAmxI+Xrb4xD7UmT2387M= Received: by 10.54.49.36 with SMTP id w36mr354476wrw; Mon, 17 Jan 2005 13:26:33 -0800 (PST) Received: by 10.54.39.34 with HTTP; Mon, 17 Jan 2005 13:26:33 -0800 (PST) Message-ID: <8eea0408050117132657045645@mail.gmail.com> Date: Mon, 17 Jan 2005 13:26:33 -0800 From: Jon Simola To: Andrew Seguin , freebsd-net@freebsd.org In-Reply-To: <20050117201513.3388954A5@borgtech.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20050117201513.3388954A5@borgtech.ca> Subject: Re: Network accounting X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 21:26:34 -0000 On Mon, 17 Jan 2005 21:11:13 +0100, Andrew Seguin wrote: > But, here's my situation. A dedicated FreeBSD transparent firewall-bridge > with 3 NICs (two for the bridge w/o IP, one for console). I'm using IPFW for > the firewall, and at the moment I'm doing some very bare-bones statistics > via a couple of count rules. I track abusive users through random usage of > TCPDump (when I feel like it basically). What I was doing with the same setup: $IPFW pipe 1 config mask src-ip 0xffffffff buckets 512 $IPFW pipe 2 config mask dst-ip 0xffffffff buckets 512 $IPFW add 32001 pipe 1 src-ip 192.168.110.0/24 bridged $IPFW add 32002 pipe 2 dst-ip 192.168.110.0/24 bridged Then 'ipfw pipe 1 show' gives you cumulative upload BW usage, and 'ipfw pipe 2 show' gives download usage. Every 15 minutes I had a perl script that ran, computed the difference in the current and last counts, and logged that to a mySQL database. Then I could query the database at will for usage stats or make graphs. I've been running that system and billing a few hundred customers with it for about 3 years now.