Em 20-03-2014 17:12, Don Jackson escreveu: > I’m attempting to monitor traffic on my LAN, I have inserted a > non-aggregating network tap between my firewall (not openbsd) and my enet > switch. > > I wired the two monitor ports of the network tap to two ethernet interfaces > (em2 and em3) on an openbsd machine (running 5.3 at present), em0 on > this machine is the regular network port. > > I’m attempting to configure pf etc. in order to facilitate monitoring and > analyzing the traffic on my lan. > I started with just the em2 interface and associated tap output, which > monitors traffic from my LAN to the firewall. > > AFAICT, the interfaces I use for this monitoring need to be “UP” and in > “PROMISC” (promiscuous) mode, correct? > > So far, the only way I know I can do that is by adding the interface to a > bridge. Is there another/better way? You could implement some sort of daemon that puts the interfaces in promiscuous mode using the pcap library. Or running a tmux+tcpdump. A bridge can also work, but it introduces complexity, especially when filtering the packets. > > So, I have: > > ifconfig em2 up > > ifconfig bridge0 add em2 > ifconfig bridge0 rule pass in on em2 tag tap_b > ifconfig bridge0 up > > I’d like to configure pf as follows: > > Log all traffic on em2/bridge0 to (ideally a specific) pflog interface > > Also “log” flows on em2/bridge0 to (ideally a specific) pflow interface > > Leave em0 alone (in its default state), and don’t “duplicate” logging > of packets received > on this interface to pflog/pflow interfaces above. > > And after that, basically replicate the em2/bridge0 logging with > similar logging for em3/bridge1, to distinct pflog/pflow interfaces. > > Here is my current pf.conf, it doesn’t do what I want above, but this is only > thing I have > gotten to work at all: > > set state-defaults pflow > set skip on lo > > pass log on bridge0 > > block # block stateless traffic > pass # establish keep-state > > block in on ! lo0 proto tcp to port 6000:6010 > > Is there a better way to log packets received on the bridge than by “pass” > ing them? > I tried to tag the packets coming in from em2 in the bridge config, but > haven’t yet figured out how to use that tag to > help me log. > > With the above, and with > > ifconfig pflow0 flowsrc 192.168.128.61 flowdst 192.168.128.61:1234 > pflowproto 9 AFAIK, using anything beside proto 5 on pflow interfaces is broken, at least on OpenBSD 5.4. I know there were some recent work in this area that solves this issue. > > I’ve gotten some flow data to show up and I’ve used nfsen to look at it. > > I’d greatly appreciate any advice/pointers on how I can do what I describe > above. > I’ve spent many hours trying different things, reading man pages, and books > (The Book of PF, Network Flow Analysis, etc) > > Don > Instead of using the state-defaults, you should use more specific rules.
pass on em0 pass on em2 (pflow) pass on em3 (pflow) and so on. I believe that this is it. Of course things would be much simpler if your OpenBSD machine was the router. And you could practically guarantee that you would see all the packets. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
