Re: traffic accounting.
Derrick MacPherson wrote: I am going to pop a machine (bridged interfaces) in tween our LAN and our firewall (pix) and am wanting to know what people would recommend for IP accounting, it would be great to have a web based output to show what traffic, from/to what hosts so the boss is happy to look at it. You can create a firewall that just passes everything and counts it. If you're not going to block anything you don't need statefull firewalling and pf should do just fine. Otherwise ipfilter will do better. I have done this some year ago with ipfilter Last time I looked at accounting for pf the problem was to get all packets counted, both ways, with statefull filtering. The problem was that the packet would only be counted when matched against a rule, and that would only happen when the state was created, this is not a problem with non-statefull filtering since all packets will traverse the ruleset every time. It may have changed, or there may be some other ways arround. I have heard about flowd but never tried to use it. That said, pf has some features I think your boss would (or should) like more than flashy web pages: Queueing so you can priotize your boss trafic over everyone else - ofcourse, you installing it can put yourself first in the queue :-) Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: traffic accounting.
U can use ipfw+ipa+mrtg Can visit http://www.kruijff.org/ but for moment, probably, the author make some changes. Idea is that ipa read count traffic from ipfw rules, wich can be read with scripts and generate traffic with mrtg. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: traffic accounting.
--- <[EMAIL PROTECTED]>Erik Nørgaard wrote: > Derrick MacPherson wrote: > > I am going to pop a machine (bridged interfaces) in tween our LAN and > > our firewall (pix) and am wanting to know what people would recommend > > for IP accounting, it would be great to have a web based output to show > > what traffic, from/to what hosts so the boss is happy to look at it. Are you searching for something that looks good or something more factual? Another question to consider is whether you are interested in bandwidth (bytes/sec) or in actual bytes transferred. There are fewer tools that provide persistent & archivable stats for the latter and I have yet to find one that displays the latter in graphical form without it becoming a science project. -- Peter __ Find your next car at http://autos.yahoo.ca ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: traffic accounting.
On Tue, 2005-09-13 at 23:11 -0400, Peter Matulis wrote: > --- <[EMAIL PROTECTED]>Erik Nørgaard wrote: > > > Derrick MacPherson wrote: > > > I am going to pop a machine (bridged interfaces) in tween our LAN and > > > our firewall (pix) and am wanting to know what people would recommend > > > for IP accounting, it would be great to have a web based output to show > > > what traffic, from/to what hosts so the boss is happy to look at it. > > Are you searching for something that looks good or something more factual? Probably more pretty than extremely accurate. I've actually mirrored a port on the switch that's to our internet connection, and have ntop monitoring that. Seems to be working fine, I guess I would like a bit more of a warm fuzzy feeling that what i'm doing is right. > Another question to consider is whether you are interested in bandwidth > (bytes/sec) or in actual bytes transferred. There are fewer tools that > provide > persistent & archivable stats for the latter and I have yet to find one that > displays the latter in graphical form without it becoming a science project. bytes transfered is better, but both appreciated. And ya, it seems like there's a few solutions, none perfect. I am pushing for the replacement of our Pix's, my preference is PF on *BSD, but again, they want something that looks pretty. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: traffic accounting.
--- Derrick MacPherson <[EMAIL PROTECTED]> wrote: > > Are you searching for something that looks good or something more factual? > > Probably more pretty than extremely accurate. I've actually mirrored a > port on the switch that's to our internet connection, and have ntop > monitoring that. Seems to be working fine, I guess I would like a bit > more of a warm fuzzy feeling that what i'm doing is right. > > > Another question to consider is whether you are interested in bandwidth > > (bytes/sec) or in actual bytes transferred. There are fewer tools that > > provide > > persistent & archivable stats for the latter and I have yet to find one that > > displays the latter in graphical form without it becoming a science project. > > bytes transfered is better, but both appreciated. And ya, it seems like > there's a few solutions, none perfect. I am pushing for the replacement > of our Pix's, my preference is PF on *BSD, but again, they want > something that looks pretty. I agree that bytes transferred is very nice to have (seems pretty basic). As mentioned by another, there is a small utility called ipfm that does the trick. There are a couple of scripts on the net that process the output into something more useful (bytes for a specified month). For the prettiness factor, pf integrates painlessly with pfstat and symon/syweb. Here is something from pfstat. It shows, well, pf statistics (bytes/sec for the last 12 hours): http://papamike.ca/misc/pass_block_12.png -- Peter __ Find your next car at http://autos.yahoo.ca ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: traffic accounting.
Derrick MacPherson wrote: I am going to pop a machine (bridged interfaces) in tween our LAN and our firewall (pix) and am wanting to know what people would recommend for IP accounting, it would be great to have a web based output to show what traffic, from/to what hosts so the boss is happy to look at it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" have a look at ntop, it's in the ports collection -- Matt Virus ("veer-iss") http://www.mattvirus.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: traffic accounting per username with ipfw in 5.4 ?
On 10/25/05, user <[EMAIL PROTECTED]> wrote: > > I remember that ipfw had been augmented some time ago to do traffic > counting, etc., based on usernames ... but I see no mention of that in the > ipfw man page on my 5.4-RELEASE system. > > Is this something that only exists in IPFW2 ? Does ipfw2 even exist > anymore ? > > Can someone clarify for me what is going on with regard to what used to be > called IPFW2, FreeBSD 5.x, and per-user traffic counting ? > > thanks. > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ipfw2 replaced ipfw in 5.x Read the manpage more carefully, please. Search for "uid" option. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: traffic accounting per username with ipfw in 5.4 ? (more)
Hello, On Tue, 25 Oct 2005, Andrew P. wrote: > On 10/25/05, user <[EMAIL PROTECTED]> wrote: > > > > I remember that ipfw had been augmented some time ago to do traffic > > counting, etc., based on usernames ... but I see no mention of that in the > > ipfw man page on my 5.4-RELEASE system. > > > > Is this something that only exists in IPFW2 ? Does ipfw2 even exist > > anymore ? > > > > Can someone clarify for me what is going on with regard to what used to be > > called IPFW2, FreeBSD 5.x, and per-user traffic counting ? > > > > thanks. > > ipfw2 replaced ipfw in 5.x > > Read the manpage more carefully, please. Search > for "uid" option. Thanks - I was searching for username and getting nowhere. Also, thank you for the clarification regarding ipfw2/ipfw and their current state. I notice that the traffic accounting per uid only applies to traffic initiated by that user, and initiated from the local machine. If I scp a file away from the machine (as user X) the traffic does not get incremented, and if I scp a file to the local machine (as user X) it also does not get incremented - even though those are non-anonymous actions that occur under the auspices of a particular username. Doe anyone have any suggestions for traffic accounting (of particularly ssh traffic) on a per user basis, for _all_ traffic that occurs under the auspices of that username, and not just what _they themselves_ initiate, personally, in their own login shell ? Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: traffic accounting per username with ipfw in 5.4 ? (more)
On 10/25/05, user <[EMAIL PROTECTED]> wrote: > > Hello, > > On Tue, 25 Oct 2005, Andrew P. wrote: > > > On 10/25/05, user <[EMAIL PROTECTED]> wrote: > > > > > > I remember that ipfw had been augmented some time ago to do traffic > > > counting, etc., based on usernames ... but I see no mention of that in the > > > ipfw man page on my 5.4-RELEASE system. > > > > > > Is this something that only exists in IPFW2 ? Does ipfw2 even exist > > > anymore ? > > > > > > Can someone clarify for me what is going on with regard to what used to be > > > called IPFW2, FreeBSD 5.x, and per-user traffic counting ? > > > > > > thanks. > > > > ipfw2 replaced ipfw in 5.x > > > > Read the manpage more carefully, please. Search > > for "uid" option. > > > Thanks - I was searching for username and getting nowhere. Also, thank > you for the clarification regarding ipfw2/ipfw and their current state. > > I notice that the traffic accounting per uid only applies to traffic > initiated by that user, and initiated from the local machine. If I scp a > file away from the machine (as user X) the traffic does not get > incremented, and if I scp a file to the local machine (as user X) it also > does not get incremented - even though those are non-anonymous actions > that occur under the auspices of a particular username. > > Doe anyone have any suggestions for traffic accounting (of particularly > ssh traffic) on a per user basis, for _all_ traffic that occurs under the > auspices of that username, and not just what _they themselves_ initiate, > personally, in their own login shell ? > > Thank you. > > ipfw looks at the owner of a process, sshd in your case. If you really need to account the not-locally- initiated ssh traffic, start another sshd running as the user (on another port), and connect to that port [you can easily allow a user to connect only to a selected server by editing sshd_config's]. Anyway, try thinking logically. How ipfw could ever know what user traffic belongs to if all authentication is handled by sshd internally. Otherwise, it would be a security whole (though some actions can certainly be logged to limited- access log files). Hassle-free solutions, i.e. complex accounting systems, come for money. Though, whatever problem you might have, I'm sure somehow that there's another way. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: traffic accounting per username with ipfw in 5.4 ? (more)
On Tue, 25 Oct 2005, Andrew P. wrote: > ipfw looks at the owner of a process, sshd in your > case. If you really need to account the not-locally- > initiated ssh traffic, start another sshd running as > the user (on another port), and connect to that > port [you can easily allow a user to connect only > to a selected server by editing sshd_config's]. > > Anyway, try thinking logically. How ipfw could > ever know what user traffic belongs to if all > authentication is handled by sshd internally. > Otherwise, it would be a security whole (though > some actions can certainly be logged to limited- > access log files). > > Hassle-free solutions, i.e. complex accounting > systems, come for money. Though, whatever > problem you might have, I'm sure somehow that > there's another way. I am open to suggestions :) Basically I have a system that is accessible via ssh _only_, and I need to find out how much ssh traffic each individual user is generating (both send and receive) over ssh. There are a large enough population of users that one sshd/user is not workable. So, it turns out there is a patch for openSSH that does per-user traffic accounting, which makes sense, since the sshd does know all that I am trying to ask of it. The only drawbacks are, the patch is unsupported (apparently the openssh developer is philosophically opposed to traffic counting in sshd (?)), and it does not count aborted transactions (so you could upload a few gigs, and then drop off, and that doesn't get counted). So that is one solution ... can you think of any other ways to count per-user traffic, if it is a given that it is all only ssh ? thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: traffic accounting per username with ipfw in 5.4 ? (more)
Monday 24 October 2005 23:54 skrev user: > Hello, > > On Tue, 25 Oct 2005, Andrew P. wrote: > > On 10/25/05, user <[EMAIL PROTECTED]> wrote: > > > I remember that ipfw had been augmented some time ago to do traffic > > > counting, etc., based on usernames ... but I see no mention of that in > > > the ipfw man page on my 5.4-RELEASE system. > > > > > > Is this something that only exists in IPFW2 ? Does ipfw2 even exist > > > anymore ? > > > > > > Can someone clarify for me what is going on with regard to what used to > > > be called IPFW2, FreeBSD 5.x, and per-user traffic counting ? > > > > > > thanks. > > > > ipfw2 replaced ipfw in 5.x > > > > Read the manpage more carefully, please. Search > > for "uid" option. > > Thanks - I was searching for username and getting nowhere. Also, thank > you for the clarification regarding ipfw2/ipfw and their current state. > > I notice that the traffic accounting per uid only applies to traffic > initiated by that user, and initiated from the local machine. If I scp a > file away from the machine (as user X) the traffic does not get > incremented, and if I scp a file to the local machine (as user X) it also > does not get incremented - even though those are non-anonymous actions > that occur under the auspices of a particular username. > > Doe anyone have any suggestions for traffic accounting (of particularly > ssh traffic) on a per user basis, for _all_ traffic that occurs under the > auspices of that username, and not just what _they themselves_ initiate, > personally, in their own login shell ? > > Thank you. I've looked a bit into this, and it appears that sshd changes uid in FreeBSD 6.0 (I use 6.0RC1) .. I bet upgrading the system would be a lot easier than constructing a complex traffic-accounting system.. I'd think so at least.. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: traffic accounting per username with ipfw in 5.4 ? (more)
I notice that the traffic accounting per uid only applies to traffic initiated by that user, and initiated from the local machine. If I scp a I've looked a bit into this, and it appears that sshd changes uid in FreeBSD 6.0 (I use 6.0RC1) .. I bet upgrading the system would be a lot easier than constructing a complex traffic-accounting system.. I'd think so at least.. sshd_config(5) UsePrivilegeSeparation && cd /usr/ports make search key=accounting ... Port: ipacctd-1.46_1 Path: /usr/ports/net-mgmt/ipacctd Info: IP accounting using divert socket Maint: [EMAIL PROTECTED] ... among others ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"