[netflow-tools] freebsd 6.1, pflowd, and virtual IPs

Emerald City / Daniel Duerr dd at emeraldcityeg.com
Mon Jul 10 04:08:31 EST 2006 

Hi,

For some reason I keep getting core dumps when I try to "tcpdump -pni 
pfsync0" on my firewall.  pfsync_enable="YES" is configured in my 
/etc/rc.conf file and pfflowd is definitely producing output to my 
netflow collector, its just for the single IP of the firewall itself.  I 
ran a "pfctl -ss" to view the state table and I see a lot of lines like 
this:

self tcp 192.168.1.140:443 <- x.x.x.40:443 <- y.y.y.y:50970 
TIME_WAIT:TIME_WAIT

Where the address on the left is the private IP of one of my web 
servers, x.x.x.40 is the public IP of that server (a virtual IP on the 
firewall), and y.y.y.y is the public IP of the remote connection.  This 
particular example is pretty common for me -- a state tracking for a 
remote user who connected to my web server via https.

My not being able to tcpdump the pfsync0 interface definitely concerns 
me, and may be part of a problem?  Regardless, it appears my system is 
tracking some states to the virtual IPs.

Hope this helps.  Appreciate your advice, Damien.

Cheers,
Daniel

Damien Miller wrote:
> Emerald City / Daniel Duerr wrote:
>> Hello,
>>
>> I've successfully deployed pflowd on my freebsd 6.1-STABLE w/PF 
>> router/firewall and have it feeding its netflows to my collector on 
>> another machine.  This router/firewall does bidirectional 1:1 NAT for a 
>> bunch of dedicated servers at a colo facility, so its got a bunch of 
>> virtual IPs assigned to its outside interface in addition to its own IP. 
>>   Everything is working fine between the flow generator & collector, 
>> except that all the traffic is being reported against the primary IP of 
>> the router/firewall, not the virtual IPs that the traffic were used on. 
>>   Anyone know of a way to make it behave the way I'd like?  I use this 
>> for traffic accounting purposes so it is critical that I have this level 
>> of detail...
> 
> pfflowd should report whatever is recorded in the pfsync records. Does
> a manual tcpdump of the pfsync interface show the correct addresses?
> 
> -d
> 
> 

-- 
Daniel Duerr | President | Emerald City Entertainment Group, LLC
dd at emeraldcityeg.com | +1 (831) 621-1767 | www.emeraldcityeg.com

More information about the netflow-tools mailing list