Contributed by jose on from the cool-tricks dept.
http://www.mindrot.org/pfflowd.html
That's just one of the many. It's actually cool that PF gets more supported. Does anyone know other interesting PF software?"
Wow, this is pretty cool. NetFlow is some neat stuff, and you can do a lot with the data. Cisco's website has a nice NetFlow summary. Various tools, both free and commercial, consume it and make use of the data.
(Comments are closed)
By click46 () click46@genmay.net on mailto:click46@genmay.net
By djm () on
While the guts of it are solid, it could do with an audit, some independant testing and verification that the flow records it generates are accurate. So please, download it and give it a try. You will need some sort of NetFlow collector to make sense of the records it produces. A simple perl one is here:
http://www.mindrot.org/files/pfflowd/collector.pl
I'll probably add NetFlow v.9 support before releasing this as a port - this will allow accounting of IPv6 flows and elimination of a lot of information that isn't currently collected by pf.
pf is a very nice framework to hack on - its design is very easy to understand, even for a kernel neophyte such as I.
Comments
By Anonymous Coward () on
By Blake () blake at two one one two dot net on mailto:blake at two one one two dot net
Comments
By Rick () No_email@aol.com on mailto:No_email@aol.com
Comments
By djm () on
By G () on
By Anonymous Coward () on
Any one knows how it works? Is it using syn cookie?
Comments
By Petr R. () pruzicka@openbsd.cz on http://www.openbsd.cz
By Anonymous Coward () on
By Anonymous Coward () on
Syncookie is using a crypto hash to recognize it, I was just wondering how pf's synproxy does it.
Comments
By Above Anonymous C. () on
By Anonymous Coward () on
pf uses a state entry for it, but doesn't pass any packets to the proxied host until the handshake is done. -current also has adaptive timeout scaling -- the timeouts decrease as the number of state entries rise, on a scale you specify. Since you can specify both the intial TCP timeout and scaling on a per-rule basis, the entire thing should work pretty well.
Skim the current man page for more.
By Anonymous Coward () on
Comments
By jose () on http://monkey.org/~jose/
Comments
By G () on
By jose () on http://monkey.org/~jose/
http://monkey.org/~jose/openbsd/ports/unports/net/
it's been a while since i updated it, so it may be a bit outdated, but it should help you get started. others have used it with reported success..
lastly, several companies (including the one i work for) make commercial flow based security and monitoring solutions. we go well beyond what you can do with free stuff in terms of performance and features .. :) we're very proud of that.
By bb () on
By Anonymous Coward () on http://www.switch.ch/tf-tant/floma/software.html