[netflow-tools] softflowd questions
Damien Miller
djm at mindrot.org
Mon Aug 20 20:11:31 EST 2007
On Thu, 16 Aug 2007, Douglas Choma wrote:
> Sorry if this has been answered elsewhere... I didn't find an mailing
> list archive.
>
> I'm trying to set up my Linux "router" to monitor Internet bandwidth
> usage (using Netflow). But I'm a little confused on a few issues:
>
> 1) Do I only need to monitor the external interface? Will that give
> me data about the source IP from internal requests? Or will the
> NAT'd packet contain the firewall's address as the source?
No - if you are perfoming NAT then you will need to monitor the internal
interface. Alternately, I believe that there is a pflowd[1] equivalent
for Linux that exports flows directly when NAT/conntrack states expire.
This is likely to be more efficient than softflowd for your use, but
unfortunately I can't remember the name of the software.
> 2) With the external interface in promiscuous mode, won't that open
> up the firewall to unwanted security risks?
It does increase your attack surface - any software that listens to the
network does. On the other hand, softflowd is pretty simple and doesn't
look past the packet headers.
A conntrack-based exporter does not raise your attack surface as much
as it only listens to kernel messages, which are hopefully more trusted.
Hope this helps.
-d
[1] http://www.mindrot.org/projects/pfflowd/
More information about the netflow-tools
mailing list