pf.conf set state-defaults pflow seemingly not exporting traffic
My money is on state-defaults working and I just am doing something
wrong, but I can't figure out what it is.
The sensor's information:
OpenBSD 6.7 (GENERIC.MP) #4: Wed Jul 15 11:16:20 MDT 2020
r...@syspatch-67-amd64.openbsd.org:/usr/src/sys/arch/amd64
/compile/GENERIC.MP
bios0: PC Engines APU2
On the sensor in /etc/pf.conf each pass rule has modulate state. I
add (pflow) to each of these rules, flows export correctly. If I
don't explicitly add (pflow), I don't see netflow traffic.
Note about the collector:
Everything else in this message only involves the sensor. If I add
(pflow) to each "modulate state" pass rule /etc/pf.conf in the
sensor, the collector works fine. If I take it away, the collector
only generates files with no flow data, e.g. ls -l gives
root _netflow 100 Jul 20 23:50 ft-v05.2020-07-20.234501-0500
instead of lengths that reflected the explicit (pflow) rules on
the sensor the day before:
root _netflow 5546 Jul 19 04:35 ft-v05.2020-07-19.043001-0500
Please note that the size was 100 for every file for Jul 20, not
just for 23:50.
These dates are just one example. Going back and forth from
explicit (pflow) on the sensor generates the same sort of results.
End of note about the collector.
Both /etc/pf.conf and /etc/pf.conf.onlystatedefaultspflow contain
set state-defaults pflow pass log quick proto udp from flowgroup to
collector port $flowport modulate state \
label "flow $if $nr $srcaddr $dstaddr"
The only difference between the files is that
pf.conf.onlystatedefaultspflow lacks explicit (pflow).
i.e. if pf.conf has
pass log inet proto tcp to https modulate state (pflow)
then pf.conf.onlystatedefaultspflow has
pass log inet proto tcp to https modulate state
I've cleaned up the output of a typescript that shows the problem: If
I understand the output correctly, I have to explicitly add (pflow) to
the pass rules to get traffic on the pflow0 interface, and to see
traffic from my labeled rule that exports the flows.
First with only the set state-defaults:
step0# /sbin/pfctl -f /etc/pf.conf.onlystatedefaultspflow
step1# /usr/bin/netstat -b -I pflow0
Name Mtu Network Address Ibytes Obytes
pflow0 1492 <Link> 0 53359944
step2# /sbin/pfctl -s label | /usr/bin/grep flow
flow any 0 10.0.1.1 10.0.1.3 99 1 1300 0 0 1 1300 1
step3# /bin/echo "generating traffic on some other host"
step4# /usr/bin/netstat -b -I pflow0
Name Mtu Network Address Ibytes Obytes
pflow0 1492 <Link> 0 53359944
step5# /sbin/pfctl -s label | /usr/bin/grep flow
flow any 0 10.0.1.1 10.0.1.3 172 1 1300 0 0 1 1300 1
now loading ruleset with (pflow) on each rule with modulate state
step0# /sbin/pfctl -f /etc/pf.conf
step1# /usr/bin/netstat -b -I pflow0
Name Mtu Network Address Ibytes Obytes
pflow0 1492 <Link> 0 53360160
step2# /sbin/pfctl -s label|/usr/bin/grep flow
flow any 0 10.0.1.1 10.0.1.3 69 0 0 0 0 0 0 0
step3# /bin/echo "generating traffic on another host"
step4# /usr/bin/netstat -b -I pflow0
Name Mtu Network Address Ibytes Obytes
pflow0 1492 <Link> 0 53364552
step5# /sbin/pfctl -s label|/usr/bin/grep flow
flow any 0 10.0.1.1 10.0.1.3 95 3 4476 0 0 3 4476 1
