FreeBSD IPFW rule counter

Templates, scripts for templates, scripts and requests for templates.

Moderators: Moderators, Developers

Post Reply
Author
Message
User avatar
Instigater
Cacti User
Posts: 141
Joined: Mon Dec 13, 2004 5:14 pm
Location: Jurmala, Latvia

FreeBSD IPFW rule counter

#1 Post by Instigater » Sat Jul 16, 2005 6:59 pm

I made some graphics based on IPFW rule counters, actually I made to count statistics for 2 rules. This is because I wanted to see statistics for my webserver traffic, one rule ir for upload, second for download. You have to make some counting rules in you IPFW firewall like this (you must put those rules where this traffic is still not matched by ACCEPT or REJECT rule, also rule numbers might be changed):

Code: Select all

#Count Webserver
ipfw -q add 65003 count tcp from any to me 80 in via rl0
ipfw -q add 65004 count tcp from me 80 to any out via rl0
Output is like this:

Code: Select all

65003   148111    17766552 count tcp from any to me 80 in recv rl0
65004   201450   234913696 count tcp from me 80 to any out xmit rl0
Installation:
1. extract ipfw_bidirectional.pl in scripts folder
2. import cacti_graph_template_freebsd_ipfw_bidirectional_rule_counter.xml through web interface
3. make IPFW rules
4. make new graph
Attachments
IPFW_bidirectional_rule_statistics_counter.zip
(3.54 KiB) Downloaded 2007 times
Last edited by Instigater on Mon Jun 19, 2006 7:27 am, edited 1 time in total.

User avatar
hbokh
Posts: 40
Joined: Thu Feb 24, 2005 4:29 pm
Location: Groningen, NL

#2 Post by hbokh » Mon Jul 18, 2005 3:49 pm

Very nice, thanks a lot!
This is my sick nature...

User avatar
Instigater
Cacti User
Posts: 141
Joined: Mon Dec 13, 2004 5:14 pm
Location: Jurmala, Latvia

#3 Post by Instigater » Wed Jul 20, 2005 1:08 pm

Feel free to modify and upload updated version. This is somehow draft as I am not an artist nor cacti guru. There should be a lot more things to edit. Custom user editable title is one of them but I cannot figure out how to make it.

Profi the same
Posts: 1
Joined: Sun Jan 11, 2009 4:16 am
Contact:

#4 Post by Profi the same » Sun Jan 11, 2009 4:25 am

I have cacti on one server and gateway with ipfw rules on another (snmp-generic host = snmpd & snmptrapd on freebsd 7.0).
I did all that:

Code: Select all

1. extract ipfw_bidirectional.pl in scripts folder 
2. import cacti_graph_template_freebsd_ipfw_bidirectional_rule_counter.xml through web interface 
3. make IPFW rules 
4. make new graph
But don't have any data of course. Can somebody help me?

Or I need to write my own MIB and receive it on cacti server by OID?

ecazamir
Posts: 5
Joined: Tue May 12, 2009 2:30 pm
Contact:

#5 Post by ecazamir » Tue May 12, 2009 2:42 pm

Instigater wrote:Feel free to modify and upload updated version. This is somehow draft as I am not an artist nor cacti guru. There should be a lot more things to edit. Custom user editable title is one of them but I cannot figure out how to make it.
Here it is a little improved version. It works only on the local machine.
The main differences from the original are:
- it is possible to specify multiple ipfw rule numbers in a comma separated list, both for input and output rulesets. For example, you could specify at input rules list:

Code: Select all

100,200,300
, and for output

Code: Select all

400,500,600,700
. Of course, the number of rules used tor output does not need to be the same as the number of rules used for input
- if there are multiple subrules with the same rule number, they will be counted.
- small customizations to graph templates.
Since I did not needed it, I didn't added support for remote execution (via SNMP / SSH)

You must specify in the data source the following:
- ipfw rule numbers used to count 'input'
- numbers of ipfw rules used to count output.

These templates also include:
- multiply by 10240 (to display nicely packets rate)
- multiply by 10240, negative
- turn bytes into bits, negative
Attachments
IPFW Rules counters, consolidated.zip
Cacti IPFW template and .xml, for local machine only (script execution, no SNMP)
(4.91 KiB) Downloaded 688 times
sample1.png
Sample graph
sample1.png (18.06 KiB) Viewed 17235 times

danielfco
Posts: 3
Joined: Thu Jul 23, 2009 5:31 pm

Problems to create de rrd file

#6 Post by danielfco » Wed Nov 11, 2009 1:21 pm

Thanks for all that helped to do this post XD.
I followed the first post (Instigater, thanks a lot ^^), including the .pl script on my cacti server (debian 5.0) and importing de xml file by web interface. But it seems that cacti can't get the counters information, the rrdtool says nothing. see the image below:

Image

Someone knows what can i do to resolve this?

ecazamir
Posts: 5
Joined: Tue May 12, 2009 2:30 pm
Contact:

Re: Problems to create de rrd file

#7 Post by ecazamir » Wed Nov 11, 2009 1:47 pm

danielfco wrote:Thanks for all that helped to do this post XD.
I followed the first post (Instigater, thanks a lot ^^), including the .pl script on my cacti server (debian 5.0) and importing de xml file by web interface. But it seems that cacti can't get the counters information, the rrdtool says nothing. see the image below:

Image

Someone knows what can i do to resolve this?
I see on your post that you try to use this template to retrieve IPFW counters on a debian server. There are at least two factors which may prevent this template/script from working: IPFW is available only for FreeBSD/MacOS systems and the current script can only be executed locally on a FreeBSD machine, the same hosting the Cacti scripts (the Cacti server). Perhaps you need to adjust the scripts so you can retrieve iptables counters and (if you need) add remote data fetching functionality via SNMP if the machine you are measuring is not the Cacti server. That may need extra SNMP configuration and some scripts to be included into SNMP configuration of the remote machine, and, of course, some template adjustments to match yout new setup.

danielfco
Posts: 3
Joined: Thu Jul 23, 2009 5:31 pm

#8 Post by danielfco » Wed Nov 11, 2009 2:01 pm

hehe, fast reply, thanks. Well, the Cacti server is a Debian, but the graph that i'm trying to do is a Freebsd server. this script works with this topology (i mean, cacti debian server and freebsd as client)?

ecazamir
Posts: 5
Joined: Tue May 12, 2009 2:30 pm
Contact:

#9 Post by ecazamir » Wed Nov 11, 2009 2:30 pm

It will work if you implement a method to retrieve the IPFW counters via SNMP or other means Cacti can use. Probably, you will need to create some script for a specific rule, then include it into FreeBSD's server SNMP configuration, followed by remote data retrieval by SNMP. Then, the cacti template will need some adjustments too...
Perhaps you will get some clues from a linux TC graphing script how to do it.

danielfco
Posts: 3
Joined: Thu Jul 23, 2009 5:31 pm

#10 Post by danielfco » Thu Nov 12, 2009 7:17 am

i'll see this link that you mencioned, but i'm think it's better to use the cacti on a Freebsd server, right? i say this because i don't need to use any modification or adaptation if i use a bsd server correct?

ecazamir
Posts: 5
Joined: Tue May 12, 2009 2:30 pm
Contact:

#11 Post by ecazamir » Thu Nov 12, 2009 7:26 am

danielfco wrote:i'll see this link that you mencioned, but i'm think it's better to use the cacti on a Freebsd server, right? i say this because i don't need to use any modification or adaptation if i use a bsd server correct?
The true matter here is 'how do you retrieve counters information from a remote machine?'. The script above (IPFW counters) is only able to retrieve data locally, not remote. It is written to run on FreeBSD machines, whether they are or not Cacti servers. The example mentioned (linux TC) gives you a strong base to start from, so you can build (and share, maybe) a script to be executed by SNMPD and a Cacti template giving the ability to retrieve data remotely. That's what open source is about, you can modify it to suit your needs.

Inzevision
Posts: 1
Joined: Thu Jan 26, 2012 8:00 pm

Re: FreeBSD IPFW rule counter

#12 Post by Inzevision » Fri Jan 27, 2012 6:35 am

at first - sorry my english.

puller.php must be run at the root (default is cacti) in cron, because user cacti don't have permition to ipfw

change in ipfw_bidirectional.pl

Code: Select all

$in = `ipfw show | grep $ARGV[0]`; -> $in = `ipfw show $ARGV[0]`;
$out = `ipfw show | grep $ARGV[1]`; -> $out = `ipfw show $ARGV[1]`;
and happiness will fall for you a big piece

ecazamir
Posts: 5
Joined: Tue May 12, 2009 2:30 pm
Contact:

Re: FreeBSD IPFW rule counter

#13 Post by ecazamir » Fri Jan 27, 2012 7:26 am

It will run with any user, just use /usr/ports/security/sudo, use 'visudo' and let that user execute /sbin/ipfw.

Post Reply