Sorry if this has been answered elsewhere... I didn''t find an mailing list archive. I''m trying to set up my Linux "router" to monitor Internet bandwidth usage (using Netflow). But I''m a little confused on a few issues: 1) Do I only need to monitor the external interface? Will that give me data about the source IP from internal requests? Or will the NAT''d packet contain the firewall''s address as the source? 2) With the external interface in promiscuous mode, won''t that open up the firewall to unwanted security risks? Please forgive my ignorance on this stuff.
Douglas Choma wrote:> Sorry if this has been answered elsewhere... I didn''t find an mailing > list archive. > > I''m trying to set up my Linux "router" to monitor Internet bandwidth > usage (using Netflow). But I''m a little confused on a few issues: > > 1) Do I only need to monitor the external interface? Will that give > me data about the source IP from internal requests? Or will the > NAT''d packet contain the firewall''s address as the source?Softflowd uses pcap to get the packets which it then converts to flows. It essecially sees the same data that tcpdump would. On all systems (including Linux), pcap sees the packet immediately before being sent on the wire, or immediately after receiving it from the wire. If you use softflowd on the externat interface of a NAT, you will see the translated IPs and not the ones of your internal hosts. There are few cases in which you can''t tell softflowd to monitor the internal interface.> 2) With the external interface in promiscuous mode, won''t that open > up the firewall to unwanted security risks?Short: I, personally, haven''t heard of such a thing. Long: A network card usually only captures the frame whose destination MAC address is either broadcast or the burned-in MAC address of the card. Promiscuous mode changes this behaviour and tells the NIC to capture all frames even if they have a different destination MAC than the burned-in one. In nowadays networks, this makes little difference, as switches usually filter such frames (this is in fact their very purpose). Anyway, supposing you have an old hub network and one of your interfaces is in promiscuous mode. The single consequence is that a lot of silly frames won''t be dropped by the NIC, but by the operating system.
On Aug 16, 2007, at 4:10 PM, Cristian KLEIN wrote:> Softflowd uses pcap to get the packets which it then converts to > flows. > It essecially sees the same data that tcpdump would. On all systems > (including Linux), pcap sees the packet immediately before being > sent on > the wire, or immediately after receiving it from the wire. > > If you use softflowd on the externat interface of a NAT, you will see > the translated IPs and not the ones of your internal hosts. There are > few cases in which you can''t tell softflowd to monitor the internal > interface.So then it makes more sense to use softflowd on the *internal* interface, and capture the packets (flows) to/from the Internet before the addresses are NAT''d? I''m guessing there are all sorts of possible uses for softflowd, but I just wanting to figure out a "best practice". Thanks for your help. :-)
On Thu, 16 Aug 2007, Douglas Choma wrote:> Sorry if this has been answered elsewhere... I didn''t find an mailing > list archive. > > I''m trying to set up my Linux "router" to monitor Internet bandwidth > usage (using Netflow). But I''m a little confused on a few issues: > > 1) Do I only need to monitor the external interface? Will that give > me data about the source IP from internal requests? Or will the > NAT''d packet contain the firewall''s address as the source?No - if you are perfoming NAT then you will need to monitor the internal interface. Alternately, I believe that there is a pflowd[1] equivalent for Linux that exports flows directly when NAT/conntrack states expire. This is likely to be more efficient than softflowd for your use, but unfortunately I can''t remember the name of the software.> 2) With the external interface in promiscuous mode, won''t that open > up the firewall to unwanted security risks?It does increase your attack surface - any software that listens to the network does. On the other hand, softflowd is pretty simple and doesn''t look past the packet headers. A conntrack-based exporter does not raise your attack surface as much as it only listens to kernel messages, which are hopefully more trusted. Hope this helps. -d [1] http://www.mindrot.org/projects/pfflowd/