[netflow-tools] FreeBSD pfflowd + flowd
Greg Armer
greg at propdata.co.za
Tue Jan 31 20:07:07 EST 2006
Greetings list,
I seem to be having an issue with using FreeBSD pf / pfflowd and flowd.
I have a working firewall ruleset running on a FreeBSD 5.4-STABLE server
using the FreeBSD port of pf from OpenBSD.
I compiled my own kernel with the
options pfsync
Option to get the pfsync0 interface, which is up and working.
I then installed pfflowd and flowd from the FreeBSD ports tree.
If I run pfflowd and run a
# tcpdump -n -i lo0 -s1500 -vvvTcnfp
I see the netflows coming from pfflowd across the pfsync0 interface:
root at fyrewall:~ #> tcpdump -n -i lo0 -s1500 -vvvTcnfp
tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 1500
bytes
11:06:54.515048 IP (tos 0x0, ttl 64, id 15359, offset 0, flags [DF],
length: 71) 127.0.0.1.63464 > 127.0.0.1.65270: P [tcp sum ok]
3176441976:3176441995(19) ack 759031372 win 35840 <nop,nop,timestamp
1551309273 1551298204>
11:06:54.516505 IP (tos 0x0, ttl 64, id 15360, offset 0, flags [none],
length: 64) 127.0.0.1.62934 > 127.0.0.1.53: NetFlow v5810, 65.536 uptime,
0.023397729, 256 recs
11:06:54.558983 IP (tos 0x0, ttl 64, id 15362, offset 0, flags [none],
length: 346) 127.0.0.1.53 > 127.0.0.1.62934: NetFlow v5810, 65.540 uptime,
655360.023397729, 33152 recs
started 65.537, last 78250.013
115.45.101.117:1377 > 6.102.97.108:29485 >> 107.97.103.3
6 FRAU tos 102, 65537 (3222011909 octets)
started 842596.711, last 107047.777
103.101.115.117:28001 > 105.116.101.192:27072 >> 27.192.48.0
89 tos 0, 487424 (268722489 octets)
started 25486.848, last 268597.864
200.192.89.0:2657 > 1.0.1.0:27489 >> 0.0.9.0
105 tos 116, 3418382336 (33554688 octets)
started 1824561.344, last 1610613.248
1.132.230.0:256 > 5.2.122.107:388 >> 192.152.192.96
5 tos 2, 99558 (328314 octets)
started 3231236.192, last 131.073
132.230.0.5:1 > 2.122.98.192:34022 >> 152.192.96.0
2 tos 122, 25486848 (84048483 octets)
Pfflowd is running as follows:
nobody 89103 0.0 0.4 1488 1000 ?? Ss Mon08AM 0:02.51
/usr/local/sbin/pfflowd -n 127.0.0.1:2055
If I use netcat to listen on 127.0.0.1 UDP port 2055 while the flowd daemon
is not running I receive nothing:
root at fyrewall:~ #> nc -4 -l -u 127.0.0.1 2055
^C
However connecting with netcat to port 2055 on 127.0.0.1 with flowd running
I receive the connection, indicating that flowd is running correctly:
root at fyrewall:~ #> nc -uv -s 127.0.0.1 127.0.0.1 2055
Connection to 127.0.0.1 2055 port [udp/*] succeeded!
^C
So it seems my problem lies with getting traffic out of pfflowd and into
flowd.
Here is my pfflowd start script:
root at fyrewall:~ #> cat /usr/local/etc/rc.d/pfflowd.sh
#!/bin/sh
# Enter the host to send the netflow datagrams to, the format
# is IP:PORT (e.g 127.0.0.1:2055)
host="127.0.0.1:2055"
case "$1" in
start)
echo -n " pfflowd"
/usr/local/sbin/pfflowd -n ${host}
;;
stop)
if [ ! -f /var/run/pfflowd.pid ]; then
echo "pfflowd not running"
exit 64
fi
kill `cat /var/run/pfflowd.pid`
;;
esac
Perhaps someone could offer some assistance ?
I also have a pf rule to:
pass quick on pfsync0
And watching the pflog0 interface does not show any blocking going on for
the pfsync0 interface.
Many thanks for any assistance.
Greg (wiqd)
More information about the netflow-tools
mailing list