Greetings, I have a firewall running -STABLE. I'm using ipfw2 for filtering and ng_netgraph (via ng_tee) to export netflow data. According to the man page for ng_ether, the lower hook gets raw ethernet frames as they come off the wire. Reading the man page for ipfw it seems to say that if I turn on net.link.ether.ipfw in sysctl that it will also get things as they come off the wire. So my question is, which one gets them first? The reason I ask is that if I have an ipfw rule to block traffic from an IP, will it get counted by ng_netgraph? Or will ipfw drop the packet before it even gets to ng_ether? If the packets go through ng_ether first and then through ipfw, does anyone know if it's possible to reverse that behavior? I'm doing billing based on traffic and don't want the netflow data to include packets that were dropped by ipfw. Thanks in advance for any insight. -Glenn
oops s/ng_netgraph/ng_netflow/g -Glenn At 11:59 PM 7/29/2004, Glenn Dawson wrote:>Greetings, > >I have a firewall running -STABLE. I'm using ipfw2 for filtering and >ng_netgraph (via ng_tee) to export netflow data. > >According to the man page for ng_ether, the lower hook gets raw ethernet >frames as they come off the wire. Reading the man page for ipfw it seems >to say that if I turn on net.link.ether.ipfw in sysctl that it will also >get things as they come off the wire. > >So my question is, which one gets them first? > >The reason I ask is that if I have an ipfw rule to block traffic from an >IP, will it get counted by ng_netgraph? Or will ipfw drop the packet >before it even gets to ng_ether? > >If the packets go through ng_ether first and then through ipfw, does >anyone know if it's possible to reverse that behavior? I'm doing billing >based on traffic and don't want the netflow data to include packets that >were dropped by ipfw. > >Thanks in advance for any insight. > >-Glenn > >_______________________________________________ >freebsd-stable@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-stable >To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
Alexander Vasenin aka BlackSir
2004-Jul-30 00:47 UTC
clarification regarding netgraph and ipfw
Maybe this is rather crucial solution, but ng_netflow can deal with raw IP (and not only ethernet), so, you can set 'divert' or 'tee' rule for passing traffic from arbitrary place in ipfw to ng_ksocket, which connected to ng_netflow (which export NetFlow through another ng_ksocket). I use tee (with 'tee' patch, described in PR/60377). Alexander Vasenin aka BlackSir> -----Original Message----- > From: owner-freebsd-stable@freebsd.org > [mailto:owner-freebsd-stable@freebsd.org]On Behalf Of Glenn Dawson > Sent: Friday, July 30, 2004 11:00 AM > To: stable@freebsd.org > Subject: clarification regarding netgraph and ipfw > > > > Greetings, > > I have a firewall running -STABLE. I'm using ipfw2 for filtering and > ng_netgraph (via ng_tee) to export netflow data. > > According to the man page for ng_ether, the lower hook gets raw ethernet > frames as they come off the wire. Reading the man page for ipfw it seems > to say that if I turn on net.link.ether.ipfw in sysctl that it will also > get things as they come off the wire. > > So my question is, which one gets them first? > > The reason I ask is that if I have an ipfw rule to block traffic from an > IP, will it get counted by ng_netgraph? Or will ipfw drop the packet > before it even gets to ng_ether? > > If the packets go through ng_ether first and then through ipfw, does anyone > know if it's possible to reverse that behavior? I'm doing billing based on > traffic and don't want the netflow data to include packets that were > dropped by ipfw. > > Thanks in advance for any insight. > > -Glenn > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >