[netflow-tools] FreeBSD pfflowd + flowd

Greg Armer greg at propdata.co.za
Tue Jan 31 20:07:07 EST 2006 

Greetings list,

I seem to be having an issue with using FreeBSD pf / pfflowd and flowd.

I have a working firewall ruleset running on a FreeBSD 5.4-STABLE server
using the FreeBSD port of pf from OpenBSD.

I compiled my own kernel with the

	options	pfsync

Option to get the pfsync0 interface, which is up and working.

I then installed pfflowd and flowd from the FreeBSD ports tree.

If I run pfflowd and run a 

# tcpdump -n -i lo0 -s1500 -vvvTcnfp

I see the netflows coming from pfflowd across the pfsync0 interface:

root at fyrewall:~ #> tcpdump -n -i lo0 -s1500 -vvvTcnfp
tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 1500
bytes
11:06:54.515048 IP (tos 0x0, ttl  64, id 15359, offset 0, flags [DF],
length: 71) 127.0.0.1.63464 > 127.0.0.1.65270: P [tcp sum ok]
3176441976:3176441995(19) ack 759031372 win 35840 <nop,nop,timestamp
1551309273 1551298204>
11:06:54.516505 IP (tos 0x0, ttl  64, id 15360, offset 0, flags [none],
length: 64) 127.0.0.1.62934 > 127.0.0.1.53: NetFlow v5810, 65.536 uptime,
0.023397729, 256 recs
11:06:54.558983 IP (tos 0x0, ttl  64, id 15362, offset 0, flags [none],
length: 346) 127.0.0.1.53 > 127.0.0.1.62934: NetFlow v5810, 65.540 uptime,
655360.023397729, 33152 recs
  started 65.537, last 78250.013
    115.45.101.117:1377 > 6.102.97.108:29485 >> 107.97.103.3
    6 FRAU tos 102, 65537 (3222011909 octets)
  started 842596.711, last 107047.777
    103.101.115.117:28001 > 105.116.101.192:27072 >> 27.192.48.0
    89 tos 0, 487424 (268722489 octets)
  started 25486.848, last 268597.864
    200.192.89.0:2657 > 1.0.1.0:27489 >> 0.0.9.0
    105 tos 116, 3418382336 (33554688 octets)
  started 1824561.344, last 1610613.248
    1.132.230.0:256 > 5.2.122.107:388 >> 192.152.192.96
    5 tos 2, 99558 (328314 octets)
  started 3231236.192, last 131.073
    132.230.0.5:1 > 2.122.98.192:34022 >> 152.192.96.0
    2 tos 122, 25486848 (84048483 octets)

Pfflowd is running as follows:

nobody  89103  0.0  0.4  1488  1000  ??  Ss   Mon08AM   0:02.51
/usr/local/sbin/pfflowd -n 127.0.0.1:2055


If I use netcat to listen on 127.0.0.1 UDP port 2055 while the flowd daemon
is not running I receive nothing:

root at fyrewall:~ #> nc -4 -l -u 127.0.0.1 2055
^C

However connecting with netcat to port 2055 on 127.0.0.1 with flowd running
I receive the connection, indicating that flowd is running correctly:

root at fyrewall:~ #> nc -uv -s 127.0.0.1 127.0.0.1 2055
Connection to 127.0.0.1 2055 port [udp/*] succeeded!
^C


So it seems my problem lies with getting traffic out of pfflowd and into
flowd.

Here is my pfflowd start script:

root at fyrewall:~ #> cat /usr/local/etc/rc.d/pfflowd.sh
#!/bin/sh

# Enter the host to send the netflow datagrams to, the format
# is IP:PORT (e.g 127.0.0.1:2055)
host="127.0.0.1:2055"

case "$1" in
        start)
                echo -n " pfflowd"
                /usr/local/sbin/pfflowd -n ${host}
                ;;

        stop)
                if [ ! -f /var/run/pfflowd.pid ]; then
                        echo "pfflowd not running"
                        exit 64
                fi
                kill `cat /var/run/pfflowd.pid`
                ;;
esac

Perhaps someone could offer some assistance ?

I also have a pf rule to:

pass quick on pfsync0

And watching the pflog0 interface does not show any blocking going on for
the pfsync0 interface.

Many thanks for any assistance.

Greg (wiqd)

More information about the netflow-tools mailing list