accounting with ipfw (gid, uid riles)

From: Nickolay A.Kritsky (nkritsky@internethelp.ru)
Date: 07/26/01


Date: Thu, 26 Jul 2001 17:21:01 +0400
From: "Nickolay A.Kritsky" <nkritsky@internethelp.ru>
To: security@FreeBSD.ORG


  Hi, all.

I am not sure, if my question has something to do with security, but people in this list
have some _huge_ amount of ipfw,natd and TCP/IP experience, which they
can share with me. :)
I have started accounting of ip traffic on my ISP2office gateway.

I want to implement this via 'ipfw add count' command, using its
'gid' and 'uid' parameters.
I have put some counters:

rule 19 is quite simple
00019 count ip from any to any via rl0
it shows me how much packets was seen on interface rl0 (it is my
external interface)

rule 1010 contains of some rules which should count all traffic
generated by the router itself, sorted by uid

01010 count ip from any to 212.113.112.145 via rl0
01010 count ip from 212.113.112.145 to any via rl0
01010 count ip from any to 212.113.112.145 uid nobody via rl0
01010 count ip from any to 212.113.112.145 uid root via rl0
01010 count ip from any to 212.113.112.145 uid httpd via rl0
01010 count ip from any to 212.113.112.145 uid ftp via rl0
01010 count ip from 212.113.112.145 to any uid nobody via rl0
01010 count ip from 212.113.112.145 to any uid root via rl0
01010 count ip from 212.113.112.145 to any uid httpd via rl0
01010 count ip from 212.113.112.145 to any uid ftp via rl0

su-2.03# ipfw show 19 1010
<-------------------------start------------------------>
00019 3215329 1163463543 count ip from any to any via rl0
01010 1118838 920747034 count ip from any to 212.113.112.145 via rl0
01010 1224240 90608036 count ip from 212.113.112.145 to any via rl0
01010 2098 231284 count ip from any to 212.113.112.145 uid nobody via rl0
01010 913617 710773596 count ip from any to 212.113.112.145 uid root via rl0
01010 117 8768 count ip from any to 212.113.112.145 uid httpd via rl0
01010 0 0 count ip from any to 212.113.112.145 uid ftp via rl0
01010 7660 466991 count ip from 212.113.112.145 to any uid nobody via rl0
01010 963148 79260085 count ip from 212.113.112.145 to any uid root via rl0
01010 36 1566 count ip from 212.113.112.145 to any uid httpd via rl0
01010 0 0 count ip from 212.113.112.145 to any uid ftp via rl0
<-------------------------end-------------------------->

according to sockstat, the only users that currently have allocated
sockets are nobody,httpd,ftp,root - Squid,Apache,ftpd,everything
other (in the same order). "Everything other" are mostly sendmail,
popper and natd.
Here are the questions:
why the whole traffic to and from router is 920747034 + 90608036 = 1011355070
but sum of traffic counters sorted by uid are
231284 + 710773596 + 8768 + 0 + 466991 + 79260085 + 1566 + 0 = 790742290

difference is big
1011355070 - 790742290 = 220612780 > 210 Mb

where did I make an error, or who is lying to me here: ipfw, sockstat?

Did anybody used uid,gid sorting in ipfw, is it reliable?

So many questions... Any help is very good.

NK
;-------------------------------------------
; NKritsky
; SysAdmin InternetHelp.Ru
; http://www.internethelp.ru
; mailto:nkritsky@internethelp.ru

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: 5.5-stable network interface rl0 stops working
    ... interface on the maschine, rl1 is for backups/internal use only) stops ... Try switching rl0 and rl1, and see if te problem persists. ... traffic for the services in that specific jail. ... When rl0 stops working ipfw loggs lots of denied packets so that it ...
    (freebsd-stable)
  • FreeBSD, ipfw user based filtering and priviledged ports
    ... Linux and was using iptables there sucessfully) to FreeBSD making ... use of the ipfw firewall. ... setting both the effective and the real uid. ...
    (comp.security.firewalls)
  • Re: FreeBSD, ipfw user based filtering and priviledged ports
    ... > use of the ipfw firewall. ... > setting both the effective and the real uid. ... > filtering in ipfw (as I succesfuly do on Linux using iptables), however, ...
    (comp.security.firewalls)
  • Re: NATD Troubles
    ... Please disregard the reference to 192.168.100.231 for rl0. ... > modem and the private interface is the NIC connected to the LAN switch. ... >> ipfw add divert natd ip from any to any via rl0 ... >> Perhaps posting the results of the following commands will help. ...
    (comp.unix.bsd.freebsd.misc)
  • ipfw2: "mac any any" blocks ipfw rule
    ... I have an ipfw rule as follows: ... ipfw allow udp from 11.22.33.44 to any in via rl0 mac any any ... or is MAC-checking broken with ipfw2? ...
    (freebsd-questions)