accounting with ipfw (gid, uid riles)

From: Nickolay A.Kritsky (nkritsky@internethelp.ru)
Date: 07/26/01


Date: Thu, 26 Jul 2001 17:21:01 +0400
From: "Nickolay A.Kritsky" <nkritsky@internethelp.ru>
To: security@FreeBSD.ORG


  Hi, all.

I am not sure, if my question has something to do with security, but people in this list
have some _huge_ amount of ipfw,natd and TCP/IP experience, which they
can share with me. :)
I have started accounting of ip traffic on my ISP2office gateway.

I want to implement this via 'ipfw add count' command, using its
'gid' and 'uid' parameters.
I have put some counters:

rule 19 is quite simple
00019 count ip from any to any via rl0
it shows me how much packets was seen on interface rl0 (it is my
external interface)

rule 1010 contains of some rules which should count all traffic
generated by the router itself, sorted by uid

01010 count ip from any to 212.113.112.145 via rl0
01010 count ip from 212.113.112.145 to any via rl0
01010 count ip from any to 212.113.112.145 uid nobody via rl0
01010 count ip from any to 212.113.112.145 uid root via rl0
01010 count ip from any to 212.113.112.145 uid httpd via rl0
01010 count ip from any to 212.113.112.145 uid ftp via rl0
01010 count ip from 212.113.112.145 to any uid nobody via rl0
01010 count ip from 212.113.112.145 to any uid root via rl0
01010 count ip from 212.113.112.145 to any uid httpd via rl0
01010 count ip from 212.113.112.145 to any uid ftp via rl0

su-2.03# ipfw show 19 1010
<-------------------------start------------------------>
00019 3215329 1163463543 count ip from any to any via rl0
01010 1118838 920747034 count ip from any to 212.113.112.145 via rl0
01010 1224240 90608036 count ip from 212.113.112.145 to any via rl0
01010 2098 231284 count ip from any to 212.113.112.145 uid nobody via rl0
01010 913617 710773596 count ip from any to 212.113.112.145 uid root via rl0
01010 117 8768 count ip from any to 212.113.112.145 uid httpd via rl0
01010 0 0 count ip from any to 212.113.112.145 uid ftp via rl0
01010 7660 466991 count ip from 212.113.112.145 to any uid nobody via rl0
01010 963148 79260085 count ip from 212.113.112.145 to any uid root via rl0
01010 36 1566 count ip from 212.113.112.145 to any uid httpd via rl0
01010 0 0 count ip from 212.113.112.145 to any uid ftp via rl0
<-------------------------end-------------------------->

according to sockstat, the only users that currently have allocated
sockets are nobody,httpd,ftp,root - Squid,Apache,ftpd,everything
other (in the same order). "Everything other" are mostly sendmail,
popper and natd.
Here are the questions:
why the whole traffic to and from router is 920747034 + 90608036 = 1011355070
but sum of traffic counters sorted by uid are
231284 + 710773596 + 8768 + 0 + 466991 + 79260085 + 1566 + 0 = 790742290

difference is big
1011355070 - 790742290 = 220612780 > 210 Mb

where did I make an error, or who is lying to me here: ipfw, sockstat?

Did anybody used uid,gid sorting in ipfw, is it reliable?

So many questions... Any help is very good.

NK
;-------------------------------------------
; NKritsky
; SysAdmin InternetHelp.Ru
; http://www.internethelp.ru
; mailto:nkritsky@internethelp.ru

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message