From owner-freebsd-net@FreeBSD.ORG Mon Jan 17 22:05:25 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43F0B16A4CF for ; Mon, 17 Jan 2005 22:05:05 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id B417E43D46 for ; Mon, 17 Jan 2005 22:05:04 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] (pool-68-160-236-186.ny325.east.verizon.net [68.160.236.186]) by pi.codefab.com (8.12.11/8.12.11) with ESMTP id j0HM4vOk076610 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 Jan 2005 17:05:00 -0500 (EST) Message-ID: <41EC36F6.7030404@mac.com> Date: Mon, 17 Jan 2005 17:06:46 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041217 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andrew Seguin References: <20050117214549.4C5DC54A5@borgtech.ca> In-Reply-To: <20050117214549.4C5DC54A5@borgtech.ca> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=1.9 required=5.5 tests=AWL,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=disabled version=3.0.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on pi.codefab.com cc: freebsd-net@freebsd.org Subject: Re: Network accounting X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 22:05:25 -0000 Andrew Seguin wrote: [ ... ] > I don't understand how this system will allow me to log traffic by-ip > without addition of 256 rules? > > I already have counts of my up & down traffic. Actually, I have a bypass > rule for 'normal' traffic (web/email/dns/icmp/etc), and then a pipe to > control bandwidth (mainly because of downloaders). With some scripting, the > server maintains a csv of in/out/abnormal (in+out). But I criticaly need > per-ip and highly need per-protocol (major ones at least). Consider these rules: ipfw pipe 1 config mask src-ip 0xffffffff buckets 512 ipfw pipe 2 config mask src-ip 0xffffffff buckets 512 ipfw pipe 3 config mask src-ip 0xffffffff buckets 512 ipfw add 10 pipe 1 tcp from 192.168.1.0/24 to any ipfw add 20 pipe 2 udp from 192.168.1.0/24 to any ipfw add 30 pipe 3 icmp from 192.168.1.0/24 to any If you do an "ipfw pipe show", you'll see output like: 00001: unlimited 0 ms 50 sl. 3 queues (512 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 164 ip 192.168.1.6/0 0.0.0.0/0 5 558 0 0 0 172 ip 192.168.1.2/0 0.0.0.0/0 461 30425 0 0 0 174 ip 192.168.1.3/0 0.0.0.0/0 679 38468 0 0 0 00002: unlimited 0 ms 50 sl. 3 queues (512 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 164 ip 192.168.1.6/0 0.0.0.0/0 7 432 0 0 0 170 ip 192.168.1.1/0 0.0.0.0/0 56 7986 0 0 0 172 ip 192.168.1.2/0 0.0.0.0/0 77 5172 0 0 0 00003: unlimited 0 ms 50 sl. 3 queues (512 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 164 ip 192.168.1.6/0 0.0.0.0/0 5 420 0 0 0 170 ip 192.168.1.1/0 0.0.0.0/0 2 168 0 0 0 172 ip 192.168.1.2/0 0.0.0.0/0 26 1988 0 0 0 ...after I did a few pings and a non-local traceroute. In other words, you don't need to create rules for each host, but you would for each protocol. If you need to break things up more finely, you can also add port #'s to look for HTTP versus IRC versus whatever, too. -- -Chuck