pflow and NAT

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

pflow and NAT

Tor Houghton
Hello,

I've been using pflow in a non-NAT environment (btw, thanks for both the pf
support and the "other" OS softflowd), but now I'd like to use it in a NAT
configuration.

Is there a particular way pflow needs to be configured to see which of the
NAT'ed hosts are talking to which external address? (The way I've configured
it[*] it appears that I only see external flows post-NAT.)

I see a similar question has been asked before, by Chris Cappuccio on tech@,
but I didn't see any answers, so I'm braving a question here.

Tor

[*] Which has a good chance of being wrong. On 5.2 on an old G4:

ext_if="vlan100"
int_if="vlan200"
dmz_if="vlan300"
svc_if="vlan600"
..
<block rules here>
..
pass out on $ext_if from any to any nat-to ($ext_if) keep state (pflow)
pass out on $svc_if keep state (pflow)          
pass out on $dmz_if keep state (pflow)        
pass out on $int_if keep state (pflow)

# do i need to add (pflow) to these too, perhaps?
pass in on $int_if keep state
pass in on $dmz_if keep state
pass in on $svc_if keep state

Reply | Threaded
Open this post in threaded view
|

Re: pflow and NAT

Andy Lemin
You need to place the pflow directive on rules on the inside interface
not on the outside interface to see RFC1918 addresses.

Rules on the outside interface are processed 'post' nat..

NB; 'keep state' is the default, so you don't need to define this
unless you are explicitly setting something different to the defaults
(like pflow).

Alternatively think about adding 'set state-defaults pflow'

Andy.


On Thu 23 Jan 2014 08:42:04 GMT, Tor Houghton wrote:

> Hello,
>
> I've been using pflow in a non-NAT environment (btw, thanks for both the pf
> support and the "other" OS softflowd), but now I'd like to use it in a NAT
> configuration.
>
> Is there a particular way pflow needs to be configured to see which of the
> NAT'ed hosts are talking to which external address? (The way I've configured
> it[*] it appears that I only see external flows post-NAT.)
>
> I see a similar question has been asked before, by Chris Cappuccio on tech@,
> but I didn't see any answers, so I'm braving a question here.
>
> Tor
>
> [*] Which has a good chance of being wrong. On 5.2 on an old G4:
>
> ext_if="vlan100"
> int_if="vlan200"
> dmz_if="vlan300"
> svc_if="vlan600"
> ..
> <block rules here>
> ..
> pass out on $ext_if from any to any nat-to ($ext_if) keep state (pflow)
> pass out on $svc_if keep state (pflow)
> pass out on $dmz_if keep state (pflow)
> pass out on $int_if keep state (pflow)
>
> # do i need to add (pflow) to these too, perhaps?
> pass in on $int_if keep state
> pass in on $dmz_if keep state
> pass in on $svc_if keep state

Reply | Threaded
Open this post in threaded view
|

Re: pflow and NAT

Florian Obser-2
In reply to this post by Tor Houghton
You want revision 1.30 of if_pflow.c
    export the original aka untranslated address in pflow
    ok florian@ henning@
~ http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflow.c#rev1.30

(and by that I don't mean you should backport it to 5.2, upgrading to
5.4 will be much easier - alot has changed ;) )

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: pflow and NAT

Andy Lemin
Awesome, didn't know this had been done :)

On Thu 23 Jan 2014 09:29:38 GMT, Florian Obser wrote:
> You want revision 1.30 of if_pflow.c
>      export the original aka untranslated address in pflow
>      ok florian@ henning@
> ~ http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflow.c#rev1.30
>
> (and by that I don't mean you should backport it to 5.2, upgrading to
> 5.4 will be much easier - alot has changed ;) )

Reply | Threaded
Open this post in threaded view
|

Re: pflow and NAT

Tor Houghton
In reply to this post by Florian Obser-2
On Thu, Jan 23, 2014 at 09:29:38AM +0000, Florian Obser wrote:
> You want revision 1.30 of if_pflow.c
>     export the original aka untranslated address in pflow
>     ok florian@ henning@
> ~ http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflow.c#rev1.30
>
> (and by that I don't mean you should backport it to 5.2, upgrading to
> 5.4 will be much easier - alot has changed ;) )
>

Andy, Florian,

Thank you kindly - will do this.

Tor