Network accounting

Chuck Swiger cswiger at mac.com
Mon Jan 17 14:05:25 PST 2005 

Andrew Seguin wrote:
[ ... ]
> I don't understand how this system will allow me to log traffic by-ip
> without addition of 256 rules?
> 
> I already have counts of my up & down traffic. Actually, I have a bypass
> rule for 'normal' traffic (web/email/dns/icmp/etc), and then a pipe to
> control bandwidth (mainly because of downloaders). With some scripting, the
> server maintains a csv of in/out/abnormal (in+out). But I criticaly need
> per-ip and highly need per-protocol (major ones at least).

Consider these rules:

   ipfw pipe 1 config mask src-ip 0xffffffff buckets 512
   ipfw pipe 2 config mask src-ip 0xffffffff buckets 512
   ipfw pipe 3 config mask src-ip 0xffffffff buckets 512
   ipfw add 10 pipe 1 tcp from 192.168.1.0/24 to any
   ipfw add 20 pipe 2 udp from 192.168.1.0/24 to any
   ipfw add 30 pipe 3 icmp from 192.168.1.0/24 to any

If you do an "ipfw pipe show", you'll see output like:

00001: unlimited    0 ms   50 sl. 3 queues (512 buckets) droptail
     mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
164 ip       192.168.1.6/0             0.0.0.0/0        5      558  0    0   0
172 ip       192.168.1.2/0             0.0.0.0/0      461    30425  0    0   0
174 ip       192.168.1.3/0             0.0.0.0/0      679    38468  0    0   0
00002: unlimited    0 ms   50 sl. 3 queues (512 buckets) droptail
     mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
164 ip       192.168.1.6/0             0.0.0.0/0        7      432  0    0   0
170 ip       192.168.1.1/0             0.0.0.0/0       56     7986  0    0   0
172 ip       192.168.1.2/0             0.0.0.0/0       77     5172  0    0   0
00003: unlimited    0 ms   50 sl. 3 queues (512 buckets) droptail
     mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
164 ip       192.168.1.6/0             0.0.0.0/0        5      420  0    0   0
170 ip       192.168.1.1/0             0.0.0.0/0        2      168  0    0   0
172 ip       192.168.1.2/0             0.0.0.0/0       26     1988  0    0   0

...after I did a few pings and a non-local traceroute.  In other words, you 
don't need to create rules for each host, but you would for each protocol.  If 
you need to break things up more finely, you can also add port #'s to look for 
HTTP versus IRC versus whatever, too.

-- 
-Chuck

More information about the freebsd-net mailing list