[netflow-tools] softflowd questions

Damien Miller djm at mindrot.org
Mon Aug 20 20:11:31 EST 2007

On Thu, 16 Aug 2007, Douglas Choma wrote:

> Sorry if this has been answered elsewhere... I didn't find an mailing  
> list archive.
> I'm trying to set up my Linux "router" to monitor Internet bandwidth  
> usage (using Netflow).  But I'm a little confused on a few issues:
> 1) Do I only need to monitor the external interface?  Will that give  
> me data about the source IP from internal requests?  Or will the  
> NAT'd packet contain the firewall's address as the source?

No - if you are perfoming NAT then you will need to monitor the internal
interface. Alternately, I believe that there is a pflowd[1] equivalent
for Linux that exports flows directly when NAT/conntrack states expire.
This is likely to be more efficient than softflowd for your use, but
unfortunately I can't remember the name of the software.

> 2) With the external interface in promiscuous mode, won't that open  
> up the firewall to unwanted security risks?

It does increase your attack surface - any software that listens to the
network does. On the other hand, softflowd is pretty simple and doesn't
look past the packet headers.

A conntrack-based exporter does not raise your attack surface as much
as it only listens to kernel messages, which are hopefully more trusted.

Hope this helps.


[1] http://www.mindrot.org/projects/pfflowd/

More information about the netflow-tools mailing list