Re: altq for vlans?

From: Max Laier (max_at_love2party.net)
Date: 02/14/05

  • Next message: Jon Simola: "Re: altq for vlans?" 
    To: freebsd-net@freebsd.org
Date: Mon, 14 Feb 2005 14:25:53 +0100

    On Monday 14 February 2005 10:43, Jeremie Le Hen wrote:
    > > Anyways, the _real_ problem is that traditionally, I'd used firewall
    > > rules for accounting as well as security. To that end, labels are
    > > very cool. However, they have one rather large defect:
    > >
    > > If you're dealing with keep state rules, there seems to be no obvious
    > > way to account for incoming vs. outgoing traffic. The label only
    > > reports total traffic for the state matching the rule... which is both
    > > in and out.
    >
    > This is a workaround, but I found that ipfw's count rules are pretty
    > useful for this purpose. This would however add processing overhead
    > for each packet especially using gigabit Ethernet.

    Did you try to use tables? I think it's one of the best tools for easy
    accounting.

    $pfctl -vvT show -t test
       192.168.0.1
            Cleared: Mon Feb 14 14:19:39 2005
            In/Block: [ Packets: 0 Bytes: 0 ]
            In/Pass: [ Packets: 2 Bytes: 168 ]
            Out/Block: [ Packets: 0 Bytes: 0 ]
            Out/Pass: [ Packets: 2 Bytes: 168 ]

    It does count everything on stateful rules and it's easy to monitor subnets
    and whatnot. See the various manual pages and the OpenBSD FAQ for more about
    tables. You might also want to have a look at pfflowd from ports, which is
    able to translate pfsync messages into flows for accounting purposes. 

    -- 
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

  • Next message: Jon Simola: "Re: altq for vlans?"

    Relevant Pages

    • Re: altq for vlans?
      ... > rules for accounting as well as security. ... To that end, labels are ... > If you're dealing with keep state rules, there seems to be no obvious ... Jeremie Le Hen ...
      (freebsd-net)
    • Re: [RFC PATCH] cpuacct: per-cgroup utime/stime statistics - v1
      ... I did a quick run of the patch on my machine. ... I remember we used to return nanosecond accurate accounting and then ... That is how the current CPU accounting system seems to work. ... Don't like out* as labels, please let us have more meaningful labels. ...
      (Linux-Kernel)
    • Re: More on garbage
      ... Lessing performed both trading and accounting tasks, ... stopped before the bank went broke. ... there is a difference between security and reliability. ...
      (sci.crypt)
    • Re: Folder Permissions Question - Server 2003
      ... that deny all users access? ... As for security and how to, using GROUPS and then adding members to the ... lets say you have a network share called ACCOUNTING: ... On the ACCOUNTING SHARE you uncheck Inherit permissions, select COPY, ...
      (microsoft.public.windows.server.general)
    • Re: SQL Server - Enterprise Manager
      ... > Our accounting package is ACCPAC Corporate Series running on SQL Server ... > security and the programmers would have access to "all of the accounting ... > We would like to know if there's a way within Enterprise Manger to ...
      (microsoft.public.sqlserver.security)