Date: Mon, 21 Mar 2005 12:42:18 +0300 From: "Eugene M. Minkovskii" <emin@mccme.ru> To: "Peter N. M. Hansteen" <peter@bgnett.no> Subject: Re: OpenBSD's pf and traffic Message-ID: <20050321094218.GA17563@mccme.ru> Resent-Message-ID: <200503210943.MAA18836@mccme.ru> In-Reply-To: <86eke9fn7o.fsf@amidala.datadok.no> References: <20050320093159.GA3213@mccme.ru> <861xaamf9t.fsf@amidala.datadok.no> <20050321071227.GA29429@mccme.ru> <86eke9fn7o.fsf@amidala.datadok.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 21, 2005 at 08:54:35AM +0100, Peter N. M. Hansteen wrote: " "Eugene M. Minkovskii" <emin@mccme.ru> writes: " " > block in log on $ext_ip inet from any to $ext_ip label $ext_ip " > pass in on $ext_ip inet from any to $ext_ip port 22 keep sate " > " > As you can see, ssh packets match to all rule and pass in because " > last rule win. Does it mean, that I can't see ssh's packet using " > command " > # pfctl -sl " " here you label the blocked packets but not the ones you pass, which " means your ssh packets would count toward the packets passed counter only. " " > And if I use " > " > block in log on $ext_ip inet from any to $ext_ip label $ext_ip " > pass in on $ext_ip inet from any to $ext_ip port 22 keep sate label $ext_ip " > " > ... I see label twice ? " " No. But both rules would increment the $ext_ip counter, which means that " your $ext_ip counter would be essentially packet totals. Last matching " rule wins (with state instead of sate it would work), so each packet " increments the relevant counters only once. I was trying some experiments... It seems to me you are right in all except one: second line don't increase $ext_ip counter, but... add other counter with same name: # pfctl -sr | grep label block in log on $ext_if inet from any to $ext_if label $ext_if block in log quick on $ext_if inet from <crackers> to $ext_if label $ext_if pass in on $ext_if inet proto tcp from any to $ext_if port = ssh flags S/SA keep state label $ext_if pass in on $ext_if inet proto tcp from any to $ext_if port = smtp flags S/SA keep state label $ext_if pass in on $ext_if inet proto tcp from any to $ext_if port = auth flags S/SA keep state label $ext_if pass in on $ext_if inet proto tcp from any port = ftp-data to $ext_if user = 62 flags S/SA keep state label $ext_if # pfctl -vsl rl0 48703 10 936 rl0 26095 0 0 rl0 25845 776 81479 rl0 29 25 2952 rl0 29 0 0 rl0 29 0 0 But, of course, this output is "scriptable". (I can sum this numbers in pyhon or bc) " > Perhaps you know where I can find workable example of this? " " Randal Schwartz has a nice article called "Monitoring Net Traffic with " OpenBSD's Packet Filter" at http://www.samag.com/documents/s=9053/sam0403j/0403j.htm " Thanks -- Sensory yours, Eugene Minkovskii Сенсорно ваш, Евгений Миньковский
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050321094218.GA17563>