pf.conf set state-defaults pflow seemingly not exporting traffic

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

pf.conf set state-defaults pflow seemingly not exporting traffic

marfabastewart
pf.conf set state-defaults pflow seemingly not exporting traffic

My money is on state-defaults working and I just am doing something
wrong, but I can't figure out what it is.

The sensor's information:
OpenBSD 6.7 (GENERIC.MP) #4: Wed Jul 15 11:16:20 MDT 2020
[hidden email]:/usr/src/sys/arch/amd64
/compile/GENERIC.MP
bios0: PC Engines APU2

On the sensor in /etc/pf.conf each pass rule has modulate state.  I
add (pflow) to each of these rules, flows export correctly.  If I
don't explicitly add (pflow), I don't see netflow traffic.

Note about the collector:

    Everything else in this message only involves the sensor. If I add
    (pflow) to each "modulate state" pass rule /etc/pf.conf in the
    sensor, the collector works fine. If I take it away, the collector
    only generates files with no flow data, e.g. ls -l gives

    root _netflow  100 Jul 20 23:50 ft-v05.2020-07-20.234501-0500

    instead of lengths that reflected the explicit (pflow) rules on
    the sensor the day before:

    root  _netflow   5546 Jul 19 04:35 ft-v05.2020-07-19.043001-0500

    Please note that the size was 100 for every file for Jul 20, not
    just for 23:50.

    These dates are just one example. Going back and forth from
    explicit (pflow) on the sensor generates the same sort of results.

End of note about the collector.


Both /etc/pf.conf and /etc/pf.conf.onlystatedefaultspflow contain
    set state-defaults pflow pass log quick proto udp from flowgroup to
    collector port $flowport modulate state \
        label "flow $if $nr $srcaddr $dstaddr"

The only difference between the files is that
pf.conf.onlystatedefaultspflow lacks explicit (pflow).

i.e. if pf.conf has

    pass log inet proto tcp to https modulate state (pflow)

then pf.conf.onlystatedefaultspflow has

    pass log inet proto tcp to https modulate state

I've cleaned up the output of a typescript that shows the problem: If
I understand the output correctly, I have to explicitly add (pflow) to
the pass rules to get traffic on the pflow0 interface, and to see
traffic from my labeled rule that exports the flows.

First with only the set state-defaults:

    step0# /sbin/pfctl -f /etc/pf.conf.onlystatedefaultspflow

    step1# /usr/bin/netstat -b -I pflow0
        Name    Mtu   Network      Address        Ibytes       Obytes
        pflow0    1492  <Link>                     0     53359944

    step2# /sbin/pfctl -s label | /usr/bin/grep flow
        flow any 0 10.0.1.1 10.0.1.3 99 1 1300 0 0 1 1300 1

    step3# /bin/echo "generating traffic on some other host"

    step4# /usr/bin/netstat -b -I pflow0
        Name    Mtu   Network      Address        Ibytes       Obytes
        pflow0    1492  <Link>                     0     53359944

    step5# /sbin/pfctl -s label | /usr/bin/grep flow
        flow any 0 10.0.1.1 10.0.1.3 172 1 1300 0 0 1 1300 1

now loading ruleset with (pflow) on each rule with modulate state

    step0# /sbin/pfctl -f /etc/pf.conf

    step1# /usr/bin/netstat -b -I pflow0
        Name    Mtu   Network      Address        Ibytes       Obytes
        pflow0    1492  <Link>                     0     53360160

    step2# /sbin/pfctl -s label|/usr/bin/grep flow
        flow any 0 10.0.1.1 10.0.1.3 69 0 0 0 0 0 0 0

    step3# /bin/echo "generating traffic on another host"

    step4# /usr/bin/netstat -b -I pflow0
        Name    Mtu   Network      Address        Ibytes       Obytes
        pflow0    1492  <Link>                     0     53364552

    step5# /sbin/pfctl -s label|/usr/bin/grep flow
        flow any 0 10.0.1.1 10.0.1.3 95 3 4476 0 0 3 4476 1



Reply | Threaded
Open this post in threaded view
|

Re: pf.conf set state-defaults pflow seemingly not exporting traffic

Peter Nicolai Mathias Hansteen


> 21. jul. 2020 kl. 17:42 skrev marfabastewart <[hidden email]>:
>
> pf.conf set state-defaults pflow seemingly not exporting traffic
>
> My money is on state-defaults working and I just am doing something
> wrong, but I can't figure out what it is.
>
> The sensor's information:
> OpenBSD 6.7 (GENERIC.MP) #4: Wed Jul 15 11:16:20 MDT 2020
> [hidden email]:/usr/src/sys/arch/amd64
> /compile/GENERIC.MP
> bios0: PC Engines APU2
>
> On the sensor in /etc/pf.conf each pass rule has modulate state.  I
> add (pflow) to each of these rules, flows export correctly.  If I
> don't explicitly add (pflow), I don't see netflow traffic.
That is indeed the expected behavior.

set state-defaults only sets the default so any rule without explicitly set state options will evaluate as having ‘keep state (pflow)’.

Your ‘modulate state’ overrides the default. As you have seen, on non-default rules you need to add any options explicitly.

All the best,


Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.





signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pf.conf set state-defaults pflow seemingly not exporting traffic

Daniel Jakots-6
On Tue, 21 Jul 2020 18:52:40 +0200, Peter Nicolai Mathias Hansteen
<[hidden email]> wrote:

> > 21. jul. 2020 kl. 17:42 skrev marfabastewart
> > <[hidden email]>:
> >
> > pf.conf set state-defaults pflow seemingly not exporting traffic
> >
> > My money is on state-defaults working and I just am doing something
> > wrong, but I can't figure out what it is.
> >
> > The sensor's information:
> > OpenBSD 6.7 (GENERIC.MP) #4: Wed Jul 15 11:16:20 MDT 2020
> > [hidden email]:/usr/src/sys/arch/amd64
> > /compile/GENERIC.MP
> > bios0: PC Engines APU2
> >
> > On the sensor in /etc/pf.conf each pass rule has modulate state.  I
> > add (pflow) to each of these rules, flows export correctly.  If I
> > don't explicitly add (pflow), I don't see netflow traffic.  
>
> That is indeed the expected behavior.
>
> set state-defaults only sets the default so any rule without
> explicitly set state options will evaluate as having ‘keep state
> (pflow)’.
>
> Your ‘modulate state’ overrides the default. As you have seen, on
> non-default rules you need to add any options explicitly.

Are you sure?
I have a working (AFAIK) pflow setup and I also have
pass out log on $ext_if proto { tcp, udp } all modulate state

(I checked the rule is used because if I comment it the outgoing
traffic doesn't go anymore)

Cheers,
Daniel

Reply | Threaded
Open this post in threaded view
|

Re: pf.conf set state-defaults pflow seemingly not exporting traffic

Peter Nicolai Mathias Hansteen


> 21. jul. 2020 kl. 19:06 skrev Daniel Jakots <[hidden email]>:
>> Your ‘modulate state’ overrides the default. As you have seen, on
>> non-default rules you need to add any options explicitly.
>
> Are you sure?
> I have a working (AFAIK) pflow setup and I also have
> pass out log on $ext_if proto { tcp, udp } all modulate state
>
> (I checked the rule is used because if I comment it the outgoing
> traffic doesn't go anymore)
The only way to be sure is to look at the actually loaded rule set (systat rules or pfctl -vnf pf.conf), the boxes I have within easy reach do not use these features at the moment, I’m afraid.

All the best,


Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.





signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pf.conf set state-defaults pflow seemingly not exporting traffic

Daniel Jakots-6
On Tue, 21 Jul 2020 19:35:17 +0200, Peter Nicolai Mathias Hansteen
<[hidden email]> wrote:

> pfctl -vnf pf.conf

oh indeed it says
pass out log on vlan10 proto tcp all flags S/SA modulate state
(if-bound)

but I understood why my pflow setup still works: it takes the flow from
the internal interfaces :)