[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
pf and symon
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: pf and symon
- From: Gaby Vanhegan <gaby_(_at_)_vanhegan_(_dot_)_net>
- Date: Sat, 27 Nov 2004 15:26:01 +0000
Morning!
Perhaps not quite the place for a symon query, but pf related anyway... :)
I've setup symon to monitor some basic system parameters, and it's
working fine for everything bar pf. All of the other sensors return
information but pf is returning nothing.
pf is running:
bash-3.00# cat /etc/rc.conf | grep pf
pf=YES # Packet filter / NAT
pf_rules=/etc/pf.conf # Packet filter rules file
pflogd_flags= # add more flags, ie. "-s 256"
bash-3.00# pfctl -e
pfctl: pf already enabled
And there are some log rules in /etc/pf.conf:
bash-3.00# cat /etc/pf.conf | grep log | head
block in log on $ext_if
pass out log on $ext_if keep state
pass in log on $ext_if proto tcp from any to any port 20 keep state
pass in log on $ext_if proto tcp from any to any port 21 keep state
pass in log on $ext_if proto tcp from any to any port 22 keep state
pass in log on $ext_if proto tcp from any to any port 25 keep state
pass in log on $ext_if proto tcp from any to any port 80 keep state
pass in log on $ext_if proto tcp from any to any port 110 keep state
pass in log on $ext_if proto tcp from any to any port 115 keep state
pass in log on $ext_if proto tcp from any to any port 443 keep state
pflogd is up and running:
bash-3.00# ps auwx | grep pflogd
root 7870 0.0 0.1 408 328 ?? Is 3:15PM 0:00.00
pflogd: [priv] (pflogd)
_pflogd 12715 0.0 0.1 464 196 ?? S 3:15PM 0:00.02
pflogd: [running] -s 116 -f /var/log/pflog (pflogd)
root 19207 0.0 0.0 960 4 p4 R+ 3:19PM 0:00.00 grep
pflogd (bash)
And so is the pflog0 interface:
bash-3.00# ifconfig -a | grep pflog
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
Information is certainly coming into the pflog file:
bash-3.00# ls -lFa /var/log | grep pflog
-rw------- 1 root wheel 23240 Nov 27 15:20 pflog
And i can get data from a tcpdump command, listening on pflog0 as well:
bash-3.00# tcpdump -n -e -ttt -i pflog0 inbound
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0
Nov 27 15:21:09.457804 rule 9/0(match): pass in on xl0:
81.168.45.41.62501 > 195.224.72.148.110: S 3382235284:3382235284(0) win
65535 <mss 1460,nop,wscale 0,[|tcp]> (DF)
Nov 27 15:21:09.492066 rule 9/0(match): pass in on xl0:
81.168.45.41.62502 > 195.224.72.148.110: S 3470025560:3470025560(0) win
65535 <mss 1460,nop,wscale 0,[|tcp]> (DF)
Symon and symux are setup as follows:
bash-3.00# cat /etc/symon.conf
# symon configuration
# Gaby Vanhegan <gaby_(_at_)_vanhegan_(_dot_)_net> 2004-11-27
monitor { if(lo0), # Localhost
if(xl0), # External interface
io(wd0), # The main HD
cpu(0), # The processor
pf, # The firewall
mem } # Memory usage
stream to 127.0.0.1 2100
bash-3.00# cat /etc/symux.conf
# symux configuration
# Gaby Vanhegan <gaby_(_at_)_vanhegan_(_dot_)_net> 2004-11-27
#
# Configuration for symux system monitoring daemon
# Only receive from localhost
mux 127.0.0.1 2100
# Localhost logs to this directory
source 127.0.0.1 {
accept { pf, io(wd0), cpu(0), mem, if(lo0), if(xl0) }
datadir "/var/symon/rrds/localhost"
}
And everything except pf produces a nice graph on the symon page. It
just seems that there is no data coming into the pf sensor at all. Has
anyone got this working? I know it works because I've seen pf graphs on
other symon pages. I've had a google for it but most of the stuff
related to pflogd, and getting that started.
What is the obvious link that I'm missing here?
Gaby
--
Ha! Ha! Ha! Dislocation...
- Phil Ken Sebben
gaby_(_at_)_vanhegan_(_dot_)_net
http://vanhegan.net
Visit your host, monkey.org