Re: "ipfw count" equivalent for pf
From: Louis LeBlanc (FreeBSD_at_keyslapper.org)
Date: 12/17/04
- Previous message: Curtis Vaughan: "Re: Opening ports"
- In reply to: patrick: ""ipfw count" equivalent for pf"
- Next in thread: Paul Schmehl: "Re: "ipfw count" equivalent for pf"
- Reply: Paul Schmehl: "Re: "ipfw count" equivalent for pf"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 17 Dec 2004 13:29:09 -0500 To: freebsd-questions@freebsd.org
On 12/16/04 11:57 AM, patrick sat at the `puter and typed:
> Hi there,
>
> Now that FreeBSD 5.x has pf from OpenBSD, I'm wondering if some of the
> pf experts can help me with porting a simple ipfw configuration from
> FreeBSD 4.x to pf in FreeBSD 5.x.
>
> On our 4.x servers, we have several rules like:
>
> ipfw add count ip from any to x.x.x.x
> ipfw add count ip from x.x.x.x to any
>
> ... to keep track of how much traffic is going through a particular IP
> address. Every night, I capture the data and zero the counters.
>
> Using pf, I'm having a difficult time how to establish a similar
> ruleset so that I can gather the same sort of data. Someone on the
> openbsd-misc list told me to "add labels to those rules you want to
> account traffic on and use `pdfctl -sl` to read their counters." The
> problem is that I'm not sure how to describe the rules using pf. I
> suppose the rules should just pass all traffic to and from my external
> interface, but from all the pf documentation I've read, I can't find
> an example that seems to do this for me.
>
> Can any experts lend a hand here? It seems like this should be
> dead-easy to do, but like many things from the OpenBSD world, it does
> not seem to straight-forward to me.
Well, if a novice (more like a beginner) will do, here's something I've
found very useful:
http://www.openbsd.org/faq/pf/index.html
And to answer your specific question, from
http://www.openbsd.org/faq/pf/config.html I've used some of these:
--------
Control
After boot, PF operation can be managed using the pfctl(8) program. Some
example commands are:
# pfctl -f /etc/pf.conf loads the pf.conf file
# pfctl -nf /etc/pf.conf parse the file, but don't load it
# pfctl -Nf /etc/pf.conf Load only the NAT rules from the file
# pfctl -Rf /etc/pf.conf Load only the filter rules from the file
# pfctl -sn Show the current NAT rules
# pfctl -sr Show the current filter rules
# pfctl -ss Show the current state table
# pfctl -si Show filter stats and counters
# pfctl -sa Show EVERYTHING it can show
For a complete list of commands, please see the pfctl(8) man page.
--------
HTH. It certainly seems like changing nat and firewall rules on the fly
are easier with pf. As I read and played with it, it seems to be much
easier, particularly when using tables and lists.
I still have some tweaking to do in my own pf.conf, but it's definitely
cool.
Lou
-- Louis LeBlanc FreeBSD@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Oliver's Law: Experience is something you don't get until just after you need it. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Curtis Vaughan: "Re: Opening ports"
- In reply to: patrick: ""ipfw count" equivalent for pf"
- Next in thread: Paul Schmehl: "Re: "ipfw count" equivalent for pf"
- Reply: Paul Schmehl: "Re: "ipfw count" equivalent for pf"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
