Greetings list,
I seem to be having an issue with using FreeBSD pf / pfflowd and flowd.
I have a working firewall ruleset running on a FreeBSD 5.4-STABLE server
using the FreeBSD port of pf from OpenBSD.
I compiled my own kernel with the
options pfsync
Option to get the pfsync0 interface, which is up and working.
I then installed pfflowd and flowd from the FreeBSD ports tree.
If I run pfflowd and run a
# tcpdump -n -i lo0 -s1500 -vvvTcnfp
I see the netflows coming from pfflowd across the pfsync0 interface:
root at fyrewall:~ #> tcpdump -n -i lo0 -s1500 -vvvTcnfp
tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 1500
bytes
11:06:54.515048 IP (tos 0x0, ttl 64, id 15359, offset 0, flags [DF],
length: 71) 127.0.0.1.63464 > 127.0.0.1.65270: P [tcp sum ok]
3176441976:3176441995(19) ack 759031372 win 35840 <nop,nop,timestamp
1551309273 1551298204>
11:06:54.516505 IP (tos 0x0, ttl 64, id 15360, offset 0, flags [none],
length: 64) 127.0.0.1.62934 > 127.0.0.1.53: NetFlow v5810, 65.536 uptime,
0.023397729, 256 recs
11:06:54.558983 IP (tos 0x0, ttl 64, id 15362, offset 0, flags [none],
length: 346) 127.0.0.1.53 > 127.0.0.1.62934: NetFlow v5810, 65.540 uptime,
655360.023397729, 33152 recs
started 65.537, last 78250.013
115.45.101.117:1377 > 6.102.97.108:29485 >> 107.97.103.3
6 FRAU tos 102, 65537 (3222011909 octets)
started 842596.711, last 107047.777
103.101.115.117:28001 > 105.116.101.192:27072 >> 27.192.48.0
89 tos 0, 487424 (268722489 octets)
started 25486.848, last 268597.864
200.192.89.0:2657 > 1.0.1.0:27489 >> 0.0.9.0
105 tos 116, 3418382336 (33554688 octets)
started 1824561.344, last 1610613.248
1.132.230.0:256 > 5.2.122.107:388 >> 192.152.192.96
5 tos 2, 99558 (328314 octets)
started 3231236.192, last 131.073
132.230.0.5:1 > 2.122.98.192:34022 >> 152.192.96.0
2 tos 122, 25486848 (84048483 octets)
Pfflowd is running as follows:
nobody 89103 0.0 0.4 1488 1000 ?? Ss Mon08AM 0:02.51
/usr/local/sbin/pfflowd -n 127.0.0.1:2055
If I use netcat to listen on 127.0.0.1 UDP port 2055 while the flowd daemon
is not running I receive nothing:
root at fyrewall:~ #> nc -4 -l -u 127.0.0.1 2055
^C
However connecting with netcat to port 2055 on 127.0.0.1 with flowd running
I receive the connection, indicating that flowd is running correctly:
root at fyrewall:~ #> nc -uv -s 127.0.0.1 127.0.0.1 2055
Connection to 127.0.0.1 2055 port [udp/*] succeeded!
^C
So it seems my problem lies with getting traffic out of pfflowd and into
flowd.
Here is my pfflowd start script:
root at fyrewall:~ #> cat /usr/local/etc/rc.d/pfflowd.sh
#!/bin/sh
# Enter the host to send the netflow datagrams to, the format
# is IP:PORT (e.g 127.0.0.1:2055)
host="127.0.0.1:2055"
case "$1" in
start)
echo -n " pfflowd"
/usr/local/sbin/pfflowd -n ${host}
;;
stop)
if [ ! -f /var/run/pfflowd.pid ]; then
echo "pfflowd not running"
exit 64
fi
kill `cat /var/run/pfflowd.pid`
;;
esac
Perhaps someone could offer some assistance ?
I also have a pf rule to:
pass quick on pfsync0
And watching the pflog0 interface does not show any blocking going on for
the pfsync0 interface.
Many thanks for any assistance.
Greg (wiqd)