Date: Tue, 30 Aug 2005 15:10:49 +0400 From: Gleb Smirnoff <glebius@FreeBSD.org> To: Ganbold <ganbold@micom.mng.net> Cc: freebsd-isp@FreeBSD.org Subject: Re: ng_netflow and bridging firewall Message-ID: <20050830111049.GK60614@cell.sick.ru> In-Reply-To: <6.2.1.2.2.20050830190113.035378e0@202.179.0.80> References: <6.2.1.2.2.20050830190113.035378e0@202.179.0.80>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 30, 2005 at 07:30:09PM +0900, Ganbold wrote:
G> I'm newbie to ng_netflow and I'm trying to collect Netflow traffic from
G> FreeBSD 5.4 machine. Collector (flow-tools) runs on same machine.
G> This FreeBSD has 3 interfaces and it acts as bridging firewall using IPFW2.
G> It also uses dummynet.
G>
G> host# ifconfig
G> xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
G> options=9<RXCSUM,VLAN_MTU>
G> ether 00:10:5a:5b:e5:e3
G> media: Ethernet 100baseTX <full-duplex>
G> status: active
G> xl1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
G> options=9<RXCSUM,VLAN_MTU>
G> ether 00:04:76:dc:7f:d1
G> media: Ethernet 100baseTX <full-duplex>
G> status: active
G> vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
G> inet x.x.x.x netmask 0xffffffe0 broadcast x.x.x.x
G> ether 00:0b:6a:24:f6:ab
G> media: Ethernet autoselect (100baseTX <full-duplex>)
G> status: active
G>
G> I'm running ng_netflow module and ngctl with following parameters:
G>
G> ngctl mkpeer xl1: tee lower right
G> ngctl connect xl1: xl1:lower upper left
G> ngctl name xl1:lower xl1_tee
G> ngctl mkpeer xl1_tee: netflow left2right iface0
G> ngctl name xl1:lower.left2right netflow
G> ngctl connect xl1_tee: netflow: right2left iface1
G> ngctl msg netflow: setifindex { iface=0 index=2 }
G> ngctl msg netflow: setifindex { iface=1 index=1 }
G> ngctl mkpeer netflow: ksocket export inet/dgram/udp
G> ngctl msg netflow:export connect inet/127.0.0.1:8818
G>
G> I'm just using second xl1 interface for ng_netflow. However when I see the
G> flow data I can only see my network addresses in
G> the dstIP field. Is it correct? I thought both srcIP, dstIP should contain
G> my IPs, because I'm trying to catch traffic which goes both directions of
G> xl1. Is my assumption correct? If I'm wrong, how to make it work in correct
G> way?
No. Look at ng_ether(4) manpage, and draw your graph. You are catching only
one direction with the above script.
G> Another issue is firewall dynamic rules count almost doubles when starts
G> ng_netflow traffic. Is it correct?
G> How can I fix this?
I know that bridge(4) has a conflict with ng_ether(4). This is fixed in RELENG_6,
and is not going to be fixed in RELENG_5 due to ABI freeze. You can
try 6.0-BETA3 in this configuration.
Probably the your ipfw problem is related to this conflict between bridge
and ng_ether.
G> Also how can I include first interface xl0 to the ng_netflow configuration?
Read the netgraph manual pages and draw graph, then change the script so that
a new graph is built.
--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050830111049.GK60614>