Pf monitoring

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Pf monitoring

Frederic URBAN
Hi guys,

I'm trying to find a way to get pf stats (ie: return of pfctl -si)
outside of the host to be sure that pf states count are under a certain
value. Usually I use snmp on other *Nix based OS but with snmpd(8) i'm
unable to achieve this (PF-MIB looks unpopulated). I agree snmp is a old
and unsecure protocol so any other solution will fit aswell.

Thankfully F.URBAN

--
Frédéric URBAN
*Frédéric URBAN*
Ingénieur Réseaux

[hidden email] <mailto:[hidden email]>
Tél. : +33 (0)3 88 119 038
                IRCAD France
http://www.ircad.fr/ <http://www.ircad.fr/>

*IRCAD France*
Hôpitaux Universitaires - 1, place de l'Hôpital - 67091 Strasbourg Cedex
- FRANCE

Reply | Threaded
Open this post in threaded view
|

Re: Pf monitoring

Jonathon Sisson
On Mon, Jan 12, 2015 at 05:20:40PM +0100, Fr??d??ric URBAN wrote:

> Hi guys,
>
> I'm trying to find a way to get pf stats (ie: return of pfctl -si)
> outside of the host to be sure that pf states count are under a certain
> value. Usually I use snmp on other *Nix based OS but with snmpd(8) i'm
> unable to achieve this (PF-MIB looks unpopulated). I agree snmp is a old
> and unsecure protocol so any other solution will fit aswell.
>
> Thankfully F.URBAN
>

pfstatd does this well, but integrating it with other monitoring solutions
may not be very easy (honestly, I've not tried.  I have pfstatd running on
a pf box with a remote machine running pfstat to gather and graph everything).

Reply | Threaded
Open this post in threaded view
|

Re: Pf monitoring

Predrag Punosevac-2
In reply to this post by Frederic URBAN
F.URBAN wrote:
 

> Hi guys,
>
> I'm trying to find a way to get pf stats (ie: return of pfctl -si)
> outside of the host to be sure that pf states count are under a certain
> value. Usually I use snmp on other *Nix based OS but with snmpd(8) i'm
> unable to achieve this (PF-MIB looks unpopulated). I agree snmp is a old
>
> and unsecure protocol so any other solution will fit aswell.
>
> Thankfully F.URBAN

Just to make sure we are on the same page. Could you please confirm that
you are talking about snmpd from the base not net-snmp. I personally
use only snmpd from the base on OpenBSD machines and net-snmpd on all
other OSs.

There is a brief section in Absolute OpenBSD, 2nd Edition about PF
related MIBs. Following that section I played with net/mbrowse and sure
enough they look populated to me. However IIRC was unable to pool them
with Observium which I am using to monitor about 35 physical server. I
also use collectd but typically don't turn SNMP plugin. Maybe I should.

The Book of PF (I am still using 2nd edition here but I am ready to buy
3rd edition) also talks briefly on the page 150 about PF related MIBs
but nothing concrete.

IIRC Joel Knight is maintainer of the PF related MIBs on OpenBSD

http://www.packetmischief.ca/2012/05/02/openbsd-5-1-snmp-mibs/

he has a bunch of nice graphs but I think he got them using Cacti.
Anyhow I am really curious about the answers you are going to get on
this very interesting question.

Cheers,
Predrag

Reply | Threaded
Open this post in threaded view
|

Re: Pf monitoring

Stuart Henderson
In reply to this post by Frederic URBAN
On 2015-01-12, Frédéric URBAN <[hidden email]> wrote:
> Hi guys,
>
> I'm trying to find a way to get pf stats (ie: return of pfctl -si)
> outside of the host to be sure that pf states count are under a certain
> value. Usually I use snmp on other *Nix based OS but with snmpd(8) i'm
> unable to achieve this (PF-MIB looks unpopulated).

Using snmpd from the base OS (*not* net-snmp):

$ snmpwalk [hostname] enterprises.openBSD.pfMIBObjects
OPENBSD-PF-MIB::pfRunning.0 = INTEGER: true(1)
OPENBSD-PF-MIB::pfRuntime.0 = Timeticks: (15808100) 1 day, 19:54:41.00 1/100th of a Second
OPENBSD-PF-MIB::pfDebug.0 = INTEGER: err(3)
OPENBSD-PF-MIB::pfHostid.0 = STRING: "0x08fb74f1"
OPENBSD-PF-MIB::pfCntMatch.0 = Counter64: 228441
OPENBSD-PF-MIB::pfCntBadOffset.0 = Counter64: 0
OPENBSD-PF-MIB::pfCntFragment.0 = Counter64: 0
[...snip...]

The MIBo description files are in /usr/share/snmp/mibs and can be
copied to another system.

> I agree snmp is a old
> and unsecure protocol so any other solution will fit aswell.

snmpd supports SNMPv3 which isn't so bad.