PF Software: PFflowd

Contributed by jose on 2003-06-23 from the cool-tricks dept.

anonymous writes: "pfflowd converts OpenBSD PF status messages (sent via the pfsync interface) to Cisco NetFlow(tm) datagrams. These datagrams may be sent (via UDP) to a host of one's choice. Utilising the OpenBSD stateful packet filter infrastructure means that flow tracking is very fast and accurate.
http://www.mindrot.org/pfflowd.html

That's just one of the many. It's actually cool that PF gets more supported. Does anyone know other interesting PF software?"

Wow, this is pretty cool. NetFlow is some neat stuff, and you can do a lot with the data. Cisco's website has a nice NetFlow summary. Various tools, both free and commercial, consume it and make use of the data.

(Comments are closed)

Comments

By click46 () click46@genmay.net on 2003-06-24 02:49 mailto:click46@genmay.net

I dont use NetFlow or anything like that; but I'm continuously amazed at the progress and additions made to PF.
By djm () on 2003-06-24 06:02

It is good to see pfflowd being written about here :)

While the guts of it are solid, it could do with an audit, some independant testing and verification that the flow records it generates are accurate. So please, download it and give it a try. You will need some sort of NetFlow collector to make sense of the records it produces. A simple perl one is here:

http://www.mindrot.org/files/pfflowd/collector.pl

I'll probably add NetFlow v.9 support before releasing this as a port - this will allow accounting of IPv6 flows and elimination of a lot of information that isn't currently collected by pf.

pf is a very nice framework to hack on - its design is very easy to understand, even for a kernel neophyte such as I.
Comments
1. By Anonymous Coward () on 2003-06-24 23:29
  
  This is killer - I love the idea. I will definitely be fooling around with this when I get some -current action happening.
By Blake () blake at two one one two dot net on 2003-06-24 09:07 mailto:blake at two one one two dot net

/usr/ports/net/ntop is a nice tool with lots of bells and whistles for collecting/reporting this data.
Comments
1. By Rick () No_email@aol.com on 2003-06-25 01:06 mailto:No_email@aol.com
  
  www.mindrot.org appears unreachable. Can you confirm the link is good?
  Comments
  1. By djm () on 2003-06-24 18:52
    
    yes, but my isp is having issues
2. By G () on 2003-06-25 18:19
  
  and it is to old to eat any NetFlow data
By Anonymous Coward () on 2003-06-25 02:32

On Damien's pfflowd's page, I noticed the mentioning of synproxy. This is going to be a big thing in terms of synflood prevention.

Any one knows how it works? Is it using syn cookie?
Comments
1. By Petr R. () pruzicka@openbsd.cz on 2003-06-25 04:13 http://www.openbsd.cz
  
  No, it intercepts SYN packet going to protected server and aswers SA instead of that server. If , and only if ACK comes back, it will "proxy" connection to protected server.
2. By Anonymous Coward () on 2003-06-25 12:32
  
  This is not about using SYN Cookies, this is using more memory on Cisco or pf instead of adjusting system to handle load of syn flood
3. By Anonymous Coward () on 2003-06-27 01:19
  
  Thanks for the above replies. I know how synproxy works, I just don't know how it recognize the ACK as being part of a previous SYN and SYN/ACK ...
  
  Syncookie is using a crypto hash to recognize it, I was just wondering how pf's synproxy does it.
  Comments
  1. By Above Anonymous C. () on 2003-06-26 15:17
    
    i guess pf state is (noticeably) smaller than socket with its buffers
  2. By Anonymous Coward () on 2003-06-26 16:13
    
    pf uses a state entry for it, but doesn't pass any packets to the proxied host until the handshake is done. -current also has adaptive timeout scaling -- the timeouts decrease as the number of state entries rise, on a scale you specify. Since you can specify both the intial TCP timeout and scaling on a per-rule basis, the entire thing should work pretty well.
    Skim the current man page for more.
By Anonymous Coward () on 2003-06-25 14:59

does anybody know free tools to make use of netflow data?
Comments
1. By jose () on 2003-06-25 16:45 http://monkey.org/~jose/
  
  osu has a flow-tools toolset that does, and caida's cflowd can do some netflow versions. i'm not a fan at all of ntop, i found it to be unstable, buggy, and pretty crufty code.
  Comments
  1. By G () on 2003-06-25 19:39
    
    ntop crashes within gd, -w works well without pictures and huge hash buffer
  2. By jose () on 2003-06-26 12:02 http://monkey.org/~jose/
    
    i should ad that flow-tools is in ports, and i have an unofficial port of cflowd here:
    
    http://monkey.org/~jose/openbsd/ports/unports/net/
    
    it's been a while since i updated it, so it may be a bit outdated, but it should help you get started. others have used it with reported success..
    
    lastly, several companies (including the one i work for) make commercial flow based security and monitoring solutions. we go well beyond what you can do with free stuff in terms of performance and features .. :) we're very proud of that.
2. By bb () on 2003-06-26 05:06
  
  Yeap, I've been using Netflowmet ( variation on Netramet ) in a production environment. SO far successfully. Very flexible tool
3. By Anonymous Coward () on 2003-03-24 04:40 http://www.switch.ch/tf-tant/floma/software.html
  
  nice list of netflow tools can be found on this website: http://www.switch.ch/tf-tant/floma/software.html

Latest Articles

Fri, Apr 26
- 08:33 Passphrase timeout for disk decryption at boot added (potential battery lifesaver) (1)
Wed, Apr 24
- 04:35 Game of Trees 0.98 released (2)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (12)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]