Hi everyone,
I would like to share an issue with one of my OpenBSD Firewall which is
present in my company.
Everything was working fine until a server crash this last week-end.
We have setup the netflow protocol with the pseudo device pflow0.
You can find the relevant files for the netflow configuration below.
/etc/pf.conf :
set state-defaults pflow
/etc/hostname.pflow :
flowsrc 192.168.1.251 flowdst 192.168.1.19:9995
The output of ifconfig for the pflow0 interface :
# ifconfig pflow0
pflow0: flags=41<UP,RUNNING> mtu 1492
priority: 0
pflow: sender: 192.168.1.251 receiver: 192.168.1.19:9995
groups: pflow
Three tcpdump sample :
- From the netflow interface :
# tcpdump -nettti pflow0
tcpdump: listening on pflow0, link-type RAW
Dec 03 15:53:31.817647 ip: 192.168.1.251.49904 > 192.168.1.19.9995: udp
1464 (DF) [tos 0x10]
Dec 03 15:53:40.247888 ip: 192.168.1.251.49904 > 192.168.1.19.9995: udp
1464 (DF) [tos 0x10]
Dec 03 15:53:50.623061 ip: 192.168.1.251.49904 > 192.168.1.19.9995: udp
1464 (DF) [tos 0x10]
Dec 03 15:53:57.428342 ip: 192.168.1.251.49904 > 192.168.1.19.9995: udp
1464 (DF) [tos 0x10]
- From the pflog inteface :
# tcpdump -nettti pflog0 host 192.168.1.19 and port 9995
tcpdump: listening on pflog0, link-type PFLOG
Dec 03 15:55:37.643985 rule def/(match) pass out on em2:
192.168.1.251.49904 > 192.168.1.19.9995: udp 1464 (DF) [tos 0x10]
Dec 03 15:55:42.644029 rule def/(match) pass out on em2:
192.168.1.251.49904 > 192.168.1.19.9995: udp 1464 (DF) [tos 0x10]
Dec 03 15:55:48.644243 rule def/(match) pass out on em2:
192.168.1.251.49904 > 192.168.1.19.9995: udp 1464 (DF) [tos 0x10]
- From the sender interface :
# tcpdump -nettti em2 host 192.168.1.19 and port 9995
tcpdump: listening on em2, link-type EN10MB
I don't see anything going out of the em2 interface.
On a lab environment with GNS3, I clearly see the UDP packets going out
of the sender interface.
Is there a best way to troubleshoot this issue ?
I don't know how to fix this behaviour, I tried to destroy and recreate
the pflow0 interface but still no luck.
--
*Alexis VACHETTE | Network and System Engineer
* Sisteer France: 43 rue Pierre Valette, 92240 Malakoff -- France
Direct line: +33 1 70 95 51 19 | Fax: +33 1 70 95 50 90
www.sisteer.com <http://www.sisteer.com>
*****************************************************************************
*********************************************
Ce message et toutes les pieces jointes sont confidentiels et etablis à
l'intention exclusive de ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite.
Tout message electronique est susceptible d'alteration.
SISTEER decline toute responsabilite au titre de ce message s'il a ete altere,
deforme ou falsifie.
Si vous n'etes pas le destinataire de ce message, merci de le detruire et
d'informer l'expediteur.
*****************************************************************************
*********************************************
This message and any attachments are confidential and intended solely for the
addressee(s).
Any unauthorised use or dissemination is prohibited.
E-mails are susceptible to alteration.
SISTEER shall not be liable for the message if altered, changed or falsified.
If you are not the intended addressee of this message, please cancel it
immediately and inform the sender.
*****************************************************************************
*********************************************
