"ipfw count" equivalent for pf

Louis LeBlanc FreeBSD at keyslapper.org
Fri Dec 17 10:29:05 PST 2004 

On 12/16/04 11:57 AM, patrick sat at the `puter and typed:
> Hi there,
> 
> Now that FreeBSD 5.x has pf from OpenBSD, I'm wondering if some of the
> pf experts can help me with porting a simple ipfw configuration from
> FreeBSD 4.x to pf in FreeBSD 5.x.
> 
> On our 4.x servers, we have several rules like:
> 
> ipfw add count ip from any to x.x.x.x
> ipfw add count ip from x.x.x.x to any
> 
> ... to keep track of how much traffic is going through a particular IP
> address. Every night, I capture the data and zero the counters.
> 
> Using pf, I'm having a difficult time how to establish a similar
> ruleset so that I can gather the same sort of data. Someone on the
> openbsd-misc list told me to "add labels to those rules you want to
> account traffic on and use `pdfctl -sl` to read their counters." The
> problem is that I'm not sure how to describe the rules using pf. I
> suppose the rules should just pass all traffic to and from my external
> interface, but from all the pf documentation I've read, I can't find
> an example that seems to do this for me.
> 
> Can any experts lend a hand here? It seems like this should be
> dead-easy to do, but like many things from the OpenBSD world, it does
> not seem to straight-forward to me.

Well, if a novice (more like a beginner) will do, here's something I've
found very useful:

http://www.openbsd.org/faq/pf/index.html

And to answer your specific question, from
http://www.openbsd.org/faq/pf/config.html I've used some of these:
--------
Control
After boot, PF operation can be managed using the pfctl(8) program. Some
example commands are:

     # pfctl -f /etc/pf.conf     loads the pf.conf file
     # pfctl -nf /etc/pf.conf    parse the file, but don't load it
     # pfctl -Nf /etc/pf.conf    Load only the NAT rules from the file
     # pfctl -Rf /etc/pf.conf    Load only the filter rules from the file

     # pfctl -sn                 Show the current NAT rules 
     # pfctl -sr                 Show the current filter rules
     # pfctl -ss                 Show the current state table
     # pfctl -si                 Show filter stats and counters
     # pfctl -sa                 Show EVERYTHING it can show

For a complete list of commands, please see the pfctl(8) man page. 
--------

HTH.  It certainly seems like changing nat and firewall rules on the fly
are easier with pf.  As I read and played with it, it seems to be much
easier, particularly when using tables and lists.

I still have some tweaking to do in my own pf.conf, but it's definitely
cool.

Lou
-- 
Louis LeBlanc               FreeBSD at keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     Ô¿Ô¬

Oliver's Law:
  Experience is something you don't get until just after you need it.

More information about the freebsd-questions mailing list