Re: ng_netflow and bridging firewall
From: Gleb Smirnoff (glebius_at_FreeBSD.org)
Date: 08/30/05
- Previous message: Ganbold: "ng_netflow and bridging firewall"
- Maybe in reply to: Ganbold: "ng_netflow and bridging firewall"
- Next in thread: Ganbold: "Re: ng_netflow and bridging firewall"
- Reply: Ganbold: "Re: ng_netflow and bridging firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 30 Aug 2005 15:10:49 +0400 To: Ganbold <ganbold@micom.mng.net>
On Tue, Aug 30, 2005 at 07:30:09PM +0900, Ganbold wrote:
G> I'm newbie to ng_netflow and I'm trying to collect Netflow traffic from
G> FreeBSD 5.4 machine. Collector (flow-tools) runs on same machine.
G> This FreeBSD has 3 interfaces and it acts as bridging firewall using IPFW2.
G> It also uses dummynet.
G>
G> host# ifconfig
G> xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
G> options=9<RXCSUM,VLAN_MTU>
G> ether 00:10:5a:5b:e5:e3
G> media: Ethernet 100baseTX <full-duplex>
G> status: active
G> xl1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
G> options=9<RXCSUM,VLAN_MTU>
G> ether 00:04:76:dc:7f:d1
G> media: Ethernet 100baseTX <full-duplex>
G> status: active
G> vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
G> inet x.x.x.x netmask 0xffffffe0 broadcast x.x.x.x
G> ether 00:0b:6a:24:f6:ab
G> media: Ethernet autoselect (100baseTX <full-duplex>)
G> status: active
G>
G> I'm running ng_netflow module and ngctl with following parameters:
G>
G> ngctl mkpeer xl1: tee lower right
G> ngctl connect xl1: xl1:lower upper left
G> ngctl name xl1:lower xl1_tee
G> ngctl mkpeer xl1_tee: netflow left2right iface0
G> ngctl name xl1:lower.left2right netflow
G> ngctl connect xl1_tee: netflow: right2left iface1
G> ngctl msg netflow: setifindex { iface=0 index=2 }
G> ngctl msg netflow: setifindex { iface=1 index=1 }
G> ngctl mkpeer netflow: ksocket export inet/dgram/udp
G> ngctl msg netflow:export connect inet/127.0.0.1:8818
G>
G> I'm just using second xl1 interface for ng_netflow. However when I see the
G> flow data I can only see my network addresses in
G> the dstIP field. Is it correct? I thought both srcIP, dstIP should contain
G> my IPs, because I'm trying to catch traffic which goes both directions of
G> xl1. Is my assumption correct? If I'm wrong, how to make it work in correct
G> way?
No. Look at ng_ether(4) manpage, and draw your graph. You are catching only
one direction with the above script.
G> Another issue is firewall dynamic rules count almost doubles when starts
G> ng_netflow traffic. Is it correct?
G> How can I fix this?
I know that bridge(4) has a conflict with ng_ether(4). This is fixed in RELENG_6,
and is not going to be fixed in RELENG_5 due to ABI freeze. You can
try 6.0-BETA3 in this configuration.
Probably the your ipfw problem is related to this conflict between bridge
and ng_ether.
G> Also how can I include first interface xl0 to the ng_netflow configuration?
Read the netgraph manual pages and draw graph, then change the script so that
a new graph is built.
-- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE _______________________________________________ freebsd-isp@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-isp To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Ganbold: "ng_netflow and bridging firewall"
- Maybe in reply to: Ganbold: "ng_netflow and bridging firewall"
- Next in thread: Ganbold: "Re: ng_netflow and bridging firewall"
- Reply: Ganbold: "Re: ng_netflow and bridging firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
