OpenBSD Journal

Monitoring PF firewalls for health and performance

Contributed by sean on from the sudo vi /etc/pf.conf dept.

Matty wrote in to tell us about his introduction to several tools that can be used to monitor a PF firewall.

The PF (packet filter) firewall package was introduced in OpenBSD 3.0, and has since been ported to the FreeBSD and NetBSD Operating Systems. PF contains a stateful packet inspection engine, the ability to replicate state information to a backup firewall, a flexible self optimizing rule engine, QoS support, and the ability to collect performance metrics. These metrics can be useful for gauging the performance of a firewall platform, and provide a way to trend firewall performance over time. This article will describe several utilities that can be used to monitor the health and performance of a PF firewall.

(Comments are closed)


Comments
  1. By Venture37 (Venture37) venture37<A>hotmail.com on www.geeklan.co.uk

    Well done for writing up the guide, for the next revision you might want to take into consideration SNMP support aswell. I'm looking forward to using the pointers in your guide on my 1st PF,CARP,pfSync setup which I deployed last week to replace a pair of aging Nokia Chekpoint doorstops.

    http://www.packetmischief.ca/openbsd/snmp/

    Comments
    1. By sthen (85.158.44.148) on

      > for the next revision you might want to take into consideration SNMP support aswell.

      Did you find an snmpd that doesn't have an unfortunate tendency to segfault?

  2. By minusf (195.168.92.92) on

    $ sudo pkg_add symon
    

    Comments
    1. By sthen (85.158.44.148) on

      > $ sudo pkg_add symon

      yes, works nicely, and since it's rrd-based, there are plenty of ways to make pretty graphs and combine them with other data sources.

  3. By Anonymous Coward (70.141.212.164) on

    Nice little article. I have to say that pftop is one awesome program. It's almost fun to just watch it do it's thing.

    One thing I've been wondering though, is how can I monitor bandwidth information on a per host level of all the hosts going out through the firewall? Basically, I'd like to see who my bandwidth hogs are.

    Also, if it outputs data that can be graphed then that would be ideal. Bosses love graphs. Actually, I've been wanting to put a transparent filter in front of our production firewall for this kind of purpose. Basically for monitoring and for some additional filtering.

    I've done the transparent filtering before. Basically, just an OpenBSD box setup as a bridge with pf turned. That's the simple part. The part where I'm stumped is the bandwidth monitoring.

    Well, any help would be appreciated.

    Thanks!

    Comments
    1. By Jared G. (72.207.228.59) on

      > Nice little article. I have to say that pftop is one awesome program. It's almost fun to just watch it do it's thing.
      >
      > One thing I've been wondering though, is how can I monitor bandwidth information on a per host level of all the hosts going out through the firewall? Basically, I'd like to see who my bandwidth hogs are.
      >
      > Also, if it outputs data that can be graphed then that would be ideal. Bosses love graphs. Actually, I've been wanting to put a transparent filter in front of our production firewall for this kind of purpose. Basically for monitoring and for some additional filtering.
      >
      > I've done the transparent filtering before. Basically, just an OpenBSD box setup as a bridge with pf turned. That's the simple part. The part where I'm stumped is the bandwidth monitoring.
      >
      > Well, any help would be appreciated.
      >
      > Thanks!

      try looking in to pmacct and rrdtool. That's exactly what I use to graph the bandwidth of my users and it is excellent.

      You can see an example here:

      http://www.zeratech.com/2007-07-02.png

      Comments
      1. By Anonymous Coward (12.30.222.105) on

        > try looking in to pmacct and rrdtool. That's exactly what I use to graph the bandwidth of my users and it is excellent.
        >
        > You can see an example here:
        >
        > http://www.zeratech.com/2007-07-02.png
        >

        that looks neat. can we see also the configuration that produces these little graphs?

      2. By Anonymous Coward (70.141.212.164) on

        > > Nice little article. I have to say that pftop is one awesome program. It's almost fun to just watch it do it's thing.
        > >
        > > One thing I've been wondering though, is how can I monitor bandwidth information on a per host level of all the hosts going out through the firewall? Basically, I'd like to see who my bandwidth hogs are.
        > >
        > > Also, if it outputs data that can be graphed then that would be ideal. Bosses love graphs. Actually, I've been wanting to put a transparent filter in front of our production firewall for this kind of purpose. Basically for monitoring and for some additional filtering.
        > >
        > > I've done the transparent filtering before. Basically, just an OpenBSD box setup as a bridge with pf turned. That's the simple part. The part where I'm stumped is the bandwidth monitoring.
        > >
        > > Well, any help would be appreciated.
        > >
        > > Thanks!
        >
        > try looking in to pmacct and rrdtool. That's exactly what I use to graph the bandwidth of my users and it is excellent.
        >
        > You can see an example here:
        >
        > http://www.zeratech.com/2007-07-02.png
        >

        Neat graph, I'll have to take a look at that. Thanks!

    2. By Brian (66.92.79.45) on

      > Nice little article. I have to say that pftop is one awesome program. It's almost fun to just watch it do it's thing.
      >
      > One thing I've been wondering though, is how can I monitor bandwidth information on a per host level of all the hosts going out through the firewall? Basically, I'd like to see who my bandwidth hogs are.
      >

      pktstat might be useful for this.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]