Date: Fri, 17 Dec 2004 13:29:09 -0500 From: Louis LeBlanc <FreeBSD@keyslapper.org> To: freebsd-questions@freebsd.org Subject: Re: "ipfw count" equivalent for pf Message-ID: <20041217182908.GA50057@keyslapper.org> In-Reply-To: <b043a48504121611577801f1ef@mail.gmail.com> References: <b043a48504121611577801f1ef@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/16/04 11:57 AM, patrick sat at the `puter and typed: > Hi there, > > Now that FreeBSD 5.x has pf from OpenBSD, I'm wondering if some of the > pf experts can help me with porting a simple ipfw configuration from > FreeBSD 4.x to pf in FreeBSD 5.x. > > On our 4.x servers, we have several rules like: > > ipfw add count ip from any to x.x.x.x > ipfw add count ip from x.x.x.x to any > > ... to keep track of how much traffic is going through a particular IP > address. Every night, I capture the data and zero the counters. > > Using pf, I'm having a difficult time how to establish a similar > ruleset so that I can gather the same sort of data. Someone on the > openbsd-misc list told me to "add labels to those rules you want to > account traffic on and use `pdfctl -sl` to read their counters." The > problem is that I'm not sure how to describe the rules using pf. I > suppose the rules should just pass all traffic to and from my external > interface, but from all the pf documentation I've read, I can't find > an example that seems to do this for me. > > Can any experts lend a hand here? It seems like this should be > dead-easy to do, but like many things from the OpenBSD world, it does > not seem to straight-forward to me. Well, if a novice (more like a beginner) will do, here's something I've found very useful: http://www.openbsd.org/faq/pf/index.html And to answer your specific question, from http://www.openbsd.org/faq/pf/config.html I've used some of these: -------- Control After boot, PF operation can be managed using the pfctl(8) program. Some example commands are: # pfctl -f /etc/pf.conf loads the pf.conf file # pfctl -nf /etc/pf.conf parse the file, but don't load it # pfctl -Nf /etc/pf.conf Load only the NAT rules from the file # pfctl -Rf /etc/pf.conf Load only the filter rules from the file # pfctl -sn Show the current NAT rules # pfctl -sr Show the current filter rules # pfctl -ss Show the current state table # pfctl -si Show filter stats and counters # pfctl -sa Show EVERYTHING it can show For a complete list of commands, please see the pfctl(8) man page. -------- HTH. It certainly seems like changing nat and firewall rules on the fly are easier with pf. As I read and played with it, it seems to be much easier, particularly when using tables and lists. I still have some tweaking to do in my own pf.conf, but it's definitely cool. Lou -- Louis LeBlanc FreeBSD@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Oliver's Law: Experience is something you don't get until just after you need it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041217182908.GA50057>