ng_nat+ng_netflow+mpd4 - ?
wel at skm.net.ua
wel at skm.net.ua
Thu Sep 27 15:28:20 PDT 2007
Hello
I want to count ALL traffic pass trought my gateway, but tool's such as
softflowd I don't want to use because there is already ng_netflow and I
want use nat from netgraph, may I :)?
I have:
#ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 10.11.2.1 netmask 0xffffff00 broadcast 10.11.2.255
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 192.168.100.99 netmask 0xffffff00 broadcast 192.168.100.255
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
pfsync0: flags=0<> mtu 2020
syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=0<> mtu 33208
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
# uname -r
6.2-RELEASE-p7
rl0 - local network
rl1 - internet
#cat KERNEL
options LIBALIAS
options NETGRAPH
options NETGRAPH_ASYNC
options NETGRAPH_BPF
options NETGRAPH_BRIDGE
options NETGRAPH_CISCO
options NETGRAPH_DEVICE
options NETGRAPH_ECHO
options NETGRAPH_EIFACE
options NETGRAPH_ETHER
options NETGRAPH_GIF
options NETGRAPH_GIF_DEMUX
options NETGRAPH_TAG
options NETGRAPH_TCPMSS
options NETGRAPH_FEC
options NETGRAPH_HOLE
options NETGRAPH_IFACE
options NETGRAPH_IP_INPUT
options NETGRAPH_KSOCKET
options NETGRAPH_L2TP
options NETGRAPH_LMI
options NETGRAPH_NETFLOW
options NETGRAPH_ONE2MANY
options NETGRAPH_PPP
options NETGRAPH_MPPC_ENCRYPTION
options NETGRAPH_PPPOE
options NETGRAPH_PPTPGRE
options NETGRAPH_RFC1490
options NETGRAPH_SOCKET
options NETGRAPH_SPLIT
options NETGRAPH_TEE
options NETGRAPH_TTY
options NETGRAPH_UI
options NETGRAPH_VJC
options NETGRAPH
options NETGRAPH_IPFW
options NETGRAPH_NAT
options NETGRAPH_NETFLOW
options NETGRAPH_SPLIT
options NETGRAPH_KSOCKET
options NETGRAPH_SOCKET
options NETGRAPH_IFACE
options NETGRAPH_TCPMSS
flow-capture + ng_netflow + this script working fine
#ngctl -f /ng_netflow
#cat /ng_netflow
mkpeer rl1: tee lower left
name rl1:lower tee0
connect rl1: rl1:lower upper right
mkpeer tee0: one2many left2right many0
name tee0:left2right one2many0
connect tee0: one2many0: right2left many1
mkpeer one2many0: netflow one iface0
name one2many0:one netflow
mkpeer netflow: ksocket export inet/dgram/udp
msg netflow: setifindex { iface=0 index=2 }
msg netflow:export connect inet/127.0.0.1:2222
I find this script:
When I apply ipfw rules my coputer lost network. I mixed in rules in/out
and 70/71. But nat+netflow don't working. I use ipfw-rules only 200 and
201, but it's doesn't working:
/sbin/ipfw add 110 ngtee 30 ip from any to any out via ng*
/sbin/ipfw add 111 ngtee 30 ip from any to any in via ng*
/sbin/ipfw add 200 netgraph 71 all from not $LOCAL_NET to $EXT_IP out
via rl1
/sbin/ipfw add 201 netgraph 70 all from $LOCAL_NET to not $LOCAL_NET in
via rl1
#!/bin/sh
EXT_IP="192.168.100.99"
LOCAL_NET="10.11.2.0/24"
/usr/sbin/ngctl mkpeer ipfw: nat 70 out
/usr/sbin/ngctl name ipfw:70 nat
/usr/sbin/ngctl connect ipfw: nat: 71 in
/usr/sbin/ngctl msg nat: setaliasaddr $EXT_IP
/usr/sbin/ngctl mkpeer ipfw: netflow 30 iface0
/usr/sbin/ngctl name ipfw:30 netflow
/usr/sbin/ngctl msg netflow: setdlt {iface=0 dlt=12}
/usr/sbin/ngctl msg netflow: setifindex {iface=0 index=1}
/usr/sbin/ngctl mkpeer netflow: ksocket export
inet/dgram/udp
/usr/sbin/ngctl msg netflow:export connect
inet/127.0.0.1:2222
/sbin/ipfw add 6400 allow all from any to any
/sbin/sysctl net.inet.ip.fw.one_pass=0
/sbin/ipfw add 110 ngtee 30 ip from any to any out via ng*
/sbin/ipfw add 111 ngtee 30 ip from any to any in via ng*
/sbin/ipfw add 200 netgraph 71 all from not $LOCAL_NET to
$EXT_IP out via rl1
/sbin/ipfw add 201 netgraph 70 all from $LOCAL_NET to not
$LOCAL_NET in via rl1
/usr/local/bin/flow-capture -n 287 -w /var/db/flows/
0.0.0.0/127.0.0.1/2222
More information about the freebsd-net
mailing list