Questions about monitoring LAN traffic with openbsd/pf/pflog/pflow

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Questions about monitoring LAN traffic with openbsd/pf/pflog/pflow

openbsd-misc
I’m attempting to monitor traffic on my LAN, I have inserted a non-aggregating network tap between my firewall (not openbsd) and my enet switch.

I wired the two monitor ports of the network tap to two ethernet interfaces (em2 and em3) on an openbsd machine (running 5.3 at present), em0 on
this machine is the regular network port.

I’m attempting to configure pf etc. in order to facilitate monitoring and analyzing the traffic on my lan.  
I started with just the em2 interface and associated tap output, which monitors traffic from my LAN to the firewall.

AFAICT, the interfaces I use for this monitoring need to be “UP” and in “PROMISC” (promiscuous) mode, correct?

So far, the only way I know I can do that is by adding the interface to a bridge.  Is there another/better way?

So, I have:

        ifconfig em2 up

        ifconfig bridge0 add em2
        ifconfig bridge0 rule pass in on em2 tag tap_b
        ifconfig bridge0 up

I’d like to configure pf as follows:

        Log all traffic on em2/bridge0 to (ideally a specific) pflog interface

        Also “log” flows on em2/bridge0 to (ideally a specific) pflow interface

        Leave em0 alone (in its default state), and don’t “duplicate” logging of packets received
        on this interface to pflog/pflow interfaces above.

        And after that, basically replicate the em2/bridge0 logging with
        similar logging for em3/bridge1, to distinct pflog/pflow interfaces.

Here is my current pf.conf, it doesn’t do what I want above, but this is only thing I have
gotten to work at all:

        set state-defaults pflow
        set skip on lo

        pass log on bridge0

        block           # block stateless traffic
        pass            # establish keep-state

        block in on ! lo0 proto tcp to port 6000:6010

Is there a better way to log packets received on the bridge than by “pass” ing them?
I tried to tag the packets coming in from em2 in the bridge config, but haven’t yet figured out how to use that tag to
help me log.

With the above, and with

        ifconfig pflow0 flowsrc 192.168.128.61 flowdst 192.168.128.61:1234 pflowproto 9

I’ve gotten some flow data to show up and I’ve used nfsen to look at it.

I’d greatly appreciate any advice/pointers on how I can do what I describe above.
I’ve spent many hours trying different things, reading man pages, and books (The Book of PF, Network Flow Analysis, etc)

Don

Reply | Threaded
Open this post in threaded view
|

Re: Questions about monitoring LAN traffic with openbsd/pf/pflog/pflow

Giancarlo Razzolini-3
Em 20-03-2014 17:12, Don Jackson escreveu:

> I’m attempting to monitor traffic on my LAN, I have inserted a non-aggregating network tap between my firewall (not openbsd) and my enet switch.
>
> I wired the two monitor ports of the network tap to two ethernet interfaces (em2 and em3) on an openbsd machine (running 5.3 at present), em0 on
> this machine is the regular network port.
>
> I’m attempting to configure pf etc. in order to facilitate monitoring and analyzing the traffic on my lan.  
> I started with just the em2 interface and associated tap output, which monitors traffic from my LAN to the firewall.
>
> AFAICT, the interfaces I use for this monitoring need to be “UP” and in “PROMISC” (promiscuous) mode, correct?
>
> So far, the only way I know I can do that is by adding the interface to a bridge.  Is there another/better way?
You could implement some sort of daemon that puts the interfaces in
promiscuous mode using the pcap library. Or running a tmux+tcpdump. A
bridge can also work, but it introduces complexity, especially when
filtering the packets.

>
> So, I have:
>
> ifconfig em2 up
>
> ifconfig bridge0 add em2
> ifconfig bridge0 rule pass in on em2 tag tap_b
> ifconfig bridge0 up
>
> I’d like to configure pf as follows:
>
> Log all traffic on em2/bridge0 to (ideally a specific) pflog interface
>
> Also “log” flows on em2/bridge0 to (ideally a specific) pflow interface
>
> Leave em0 alone (in its default state), and don’t “duplicate” logging of packets received
> on this interface to pflog/pflow interfaces above.
>
> And after that, basically replicate the em2/bridge0 logging with
> similar logging for em3/bridge1, to distinct pflog/pflow interfaces.
>
> Here is my current pf.conf, it doesn’t do what I want above, but this is only thing I have
> gotten to work at all:
>
> set state-defaults pflow
> set skip on lo
>
> pass log on bridge0
>
> block           # block stateless traffic
> pass            # establish keep-state
>
> block in on ! lo0 proto tcp to port 6000:6010
>
> Is there a better way to log packets received on the bridge than by “pass” ing them?
> I tried to tag the packets coming in from em2 in the bridge config, but haven’t yet figured out how to use that tag to
> help me log.
>
> With the above, and with
>
> ifconfig pflow0 flowsrc 192.168.128.61 flowdst 192.168.128.61:1234 pflowproto 9
AFAIK, using anything beside proto 5 on pflow interfaces is broken, at
least on OpenBSD 5.4. I know there were some recent work in this area
that solves this issue.
>
> I’ve gotten some flow data to show up and I’ve used nfsen to look at it.
>
> I’d greatly appreciate any advice/pointers on how I can do what I describe above.
> I’ve spent many hours trying different things, reading man pages, and books (The Book of PF, Network Flow Analysis, etc)
>
> Don
>
Instead of using the state-defaults, you should use more specific rules.

pass on em0
pass on em2 (pflow)
pass on em3 (pflow)

and so on. I believe that this is it. Of course things would be much
simpler if your OpenBSD machine was the router. And you could
practically guarantee that you would see all the packets.

Cheers,

--
Giancarlo Razzolini
GPG: 4096R/77B981BC

Reply | Threaded
Open this post in threaded view
|

Re: Questions about monitoring LAN traffic with openbsd/pf/pflog/pflow

openbsd-misc
On Mar 20, 2014, at 2:14 PM, Giancarlo Razzolini <[hidden email]> wrote:

> Em 20-03-2014 17:12, Don Jackson escreveu:
>> I’m attempting to monitor traffic on my LAN, I have inserted a non-aggregating network tap between my firewall (not openbsd) and my enet switch.
>> I wired the two monitor ports of the network tap to two ethernet interfaces (em2 and em3) on an openbsd machine (running 5.3 at present), em0 on
>> this machine is the regular network port.
>> I’m attempting to configure pf etc. in order to facilitate monitoring and analyzing the traffic on my lan.  
>> I started with just the em2 interface and associated tap output, which monitors traffic from my LAN to the firewall.
>> AFAICT, the interfaces I use for this monitoring need to be “UP” and in “PROMISC” (promiscuous) mode, correct?
>> So far, the only way I know I can do that is by adding the interface to a bridge.  Is there another/better way?
> You could implement some sort of daemon that puts the interfaces in
> promiscuous mode using the pcap library. Or running a tmux+tcpdump. A
> bridge can also work, but it introduces complexity, especially when
> filtering the packets.

Based on further experiments motivated by your suggestions, I have concluded that I’ve been using the wrong tool(s)
for the job.

Since I’m using the OpenBSD box to just read all packets on an interface, I shouldn’t be using pf/pflog/pflow at all,
I should just focus on apps like tcpdump that open the interface directly, and read what they want.  Some network monitoring packages
(i.e. argus) seem to have their own tcpdump-like apps for reading network interfaces.

If the box in question was the router/firewall, then obviously I could/should use pf/pflog/pflow to extract the info
passing through/by that I would want to monitor.

Thank you for kludging me in the right direction.

Don

Reply | Threaded
Open this post in threaded view
|

Re: Questions about monitoring LAN traffic with openbsd/pf/pflog/pflow

Giancarlo Razzolini-3
Em 20-03-2014 19:21, Don Jackson escreveu:

> On Mar 20, 2014, at 2:14 PM, Giancarlo Razzolini <[hidden email]> wrote:
>
>> Em 20-03-2014 17:12, Don Jackson escreveu:
>>> I’m attempting to monitor traffic on my LAN, I have inserted a non-aggregating network tap between my firewall (not openbsd) and my enet switch.
>>> I wired the two monitor ports of the network tap to two ethernet interfaces (em2 and em3) on an openbsd machine (running 5.3 at present), em0 on
>>> this machine is the regular network port.
>>> I’m attempting to configure pf etc. in order to facilitate monitoring and analyzing the traffic on my lan.  
>>> I started with just the em2 interface and associated tap output, which monitors traffic from my LAN to the firewall.
>>> AFAICT, the interfaces I use for this monitoring need to be “UP” and in “PROMISC” (promiscuous) mode, correct?
>>> So far, the only way I know I can do that is by adding the interface to a bridge.  Is there another/better way?
>> You could implement some sort of daemon that puts the interfaces in
>> promiscuous mode using the pcap library. Or running a tmux+tcpdump. A
>> bridge can also work, but it introduces complexity, especially when
>> filtering the packets.
> Based on further experiments motivated by your suggestions, I have concluded that I’ve been using the wrong tool(s)
> for the job.
>
> Since I’m using the OpenBSD box to just read all packets on an interface, I shouldn’t be using pf/pflog/pflow at all,
> I should just focus on apps like tcpdump that open the interface directly, and read what they want.  Some network monitoring packages
> (i.e. argus) seem to have their own tcpdump-like apps for reading network interfaces.
>
> If the box in question was the router/firewall, then obviously I could/should use pf/pflog/pflow to extract the info
> passing through/by that I would want to monitor.
>
> Thank you for kludging me in the right direction.
>
> Don
>
Yes, this is even better (and simpler). I believed that you needed to
use netflow, because I thought your switch was sending netflow data, not
all packets itself. Reading your mail again, I realized this. But then
again, there is any particular reason why the OpenBSD machine isn't the
router/gateway for your network(s)? I believe that there are very few,
if any, cases, where a OpenBSD firewall wouldn't do the job.

Cheers,

--
Giancarlo Razzolini
GPG: 4096R/77B981BC

Reply | Threaded
Open this post in threaded view
|

Re: Questions about monitoring LAN traffic with openbsd/pf/pflog/pflow

Florian Obser
In reply to this post by Giancarlo Razzolini-3
On Thu, Mar 20, 2014 at 06:14:39PM -0300, Giancarlo Razzolini wrote:
> AFAIK, using anything beside proto 5 on pflow interfaces is broken, at
> least on OpenBSD 5.4. I know there were some recent work in this area
> that solves this issue.

Nope, proto 9 was allways working. proto 10 had the problem that
it was sending templates / flows that were technically correct, but
there is no known receiver which could actually parse them ;)
This was fixed in rev 1.34 of pflow.c (August 13th 2013) and will be
in 5.5.

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: Questions about monitoring LAN traffic with openbsd/pf/pflog/pflow

Giancarlo Razzolini-3
Em 22-03-2014 08:39, Florian Obser escreveu:

> On Thu, Mar 20, 2014 at 06:14:39PM -0300, Giancarlo Razzolini wrote:
>> AFAIK, using anything beside proto 5 on pflow interfaces is broken, at
>> least on OpenBSD 5.4. I know there were some recent work in this area
>> that solves this issue.
> Nope, proto 9 was allways working. proto 10 had the problem that
> it was sending templates / flows that were technically correct, but
> there is no known receiver which could actually parse them ;)
> This was fixed in rev 1.34 of pflow.c (August 13th 2013) and will be
> in 5.5.
>
I must been fooled by nfsen and my poor job in cleaning things then. I
tried 9 before reverting to 5, but I believe that I didn't cleaned the
files prior to the test. Anyway, I knew that 10 was broken and is fixed
to be in 5.5. I an expecting it, eagerly.

Cheers,

--
Giancarlo Razzolini
GPG: 4096R/77B981BC