Thursday, March 29, 2018

Re: counting dropped packets for pf

> On 03/28/18 22:03, 3 wrote:

>> maybe im so dumb and blind to see pflow here.. and maybe deal not in
>> me. where is pflow?

> pflow gets the data it exports from the state table.
> Blocked connections do not create state table entries.
> This means that pflow does not have the information you're looking for.
> You can still get detailed information about blocked connection
> attempts, in the aggregate via labels as I showed you, or from pflog.
> You could even have your block rules logged to a separate pflog interface.
> Others have alredy pointed you at other alternatives. Obsessing about
> pflow unfortunately isn't going to get you anywhere. Exploring the other
> options might.

i accept your challenge! ^^
but first i will describe my scheme of pf.conf(this is important):

block all # default block
match from (self) tag PASS # default output

match bla-bla1 to (self) tag PASS
match bla-bla2 to (self) tag PASS
..
match bla-blaN to (self) tag PASS

match from lan:network tag PASS # its actually an anchor here, loadable from
match to lan:network tag PASS # another file, but it does not matter

match out on egress inet from !(self) tagged PASS nat-to (egress) # nat
pass quick tagged PASS # one(no other) final pass

-- in this place we have all the packets that were not accepted and
that will be later blocked by the default block.
-- we need only those who entered on egress(pppoe0 for me):
pass in quick on pppoe0 all route-to(vether0 10.0.0.1) keep state (pflow) # any fake inteface is here
-- now all these packets selected by us get back to the entrance of the rules(before default block).
-- we can leave them as they are, but its better to delete them:
block quick on vether0 # need to place as the first rule
-- lets see what we have got if enable logging:

Mar 29 20:42:46.984161 rule 92/(match) [uid 0, pid 54243] pass in on pppoe0: 24.201.182.114.46574 > 188.235.31.7.36824: [udp sum ok] udp 20 [tos 0x70] (ttl 53, id 5542, len 48)
Mar 29 20:42:46.984176 rule 0/(match) [uid 0, pid 54243] block out on vether0: 24.201.182.114.46574 > 188.235.31.7.36824: [udp sum ok] udp 20 [tos 0x70] (ttl 53, id 5542, len 48)
.. and more(i found four matching packets in this interval, but it is difficult to synchronize pf's log and log of the flowd)

process_flow: ACCEPT flow FLOW recv_time 2018-03-29T20:43:42.634715 proto 17 tcpflags 00 tos 00 agent [127.0.0.1] src [24.201.182.114]:46574 dst [188.235.31.7]:36824 gateway [0.0.0.0] packets 3 octets 144 in_if 7 out_if 0 sys_uptime_ms 2h20m51s.000 time_sec 2018-03-29T20:43:42 time_nanosec 634520582 netflow ver 5 flow_start 2h19m55s.000 flow_finish 2h20m5s.000 src_AS 0 src_masklen 0 dst_AS 0 dst_masklen 0 engine_type 10752 engine_id 10752 seq 11273 source 0 crc32 00000000
output_flow_enqueue: offset 1624 alloc 16384

-- what you say? ;)

No comments:

Post a Comment