Cacti (home)ForumsDocumentation
Cacti: offical forums and support
It is currently Thu Jul 18, 2019 6:09 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 13 posts ] 
Author Message
 Post subject: FreeBSD IPFW rule counter
PostPosted: Sat Jul 16, 2005 6:59 pm 
Offline
Cacti User
User avatar

Joined: Mon Dec 13, 2004 5:14 pm
Posts: 141
Location: Jurmala, Latvia
I made some graphics based on IPFW rule counters, actually I made to count statistics for 2 rules. This is because I wanted to see statistics for my webserver traffic, one rule ir for upload, second for download. You have to make some counting rules in you IPFW firewall like this (you must put those rules where this traffic is still not matched by ACCEPT or REJECT rule, also rule numbers might be changed):
Code:
#Count Webserver
ipfw -q add 65003 count tcp from any to me 80 in via rl0
ipfw -q add 65004 count tcp from me 80 to any out via rl0

Output is like this:
Code:
65003   148111    17766552 count tcp from any to me 80 in recv rl0
65004   201450   234913696 count tcp from me 80 to any out xmit rl0

Installation:
1. extract ipfw_bidirectional.pl in scripts folder
2. import cacti_graph_template_freebsd_ipfw_bidirectional_rule_counter.xml through web interface
3. make IPFW rules
4. make new graph


Attachments:
IPFW_bidirectional_rule_statistics_counter.zip [3.54 KiB]
Downloaded 2004 times


Last edited by Instigater on Mon Jun 19, 2006 7:27 am, edited 1 time in total.
Top
 Profile  
 
 Post subject:
PostPosted: Mon Jul 18, 2005 3:49 pm 
Offline
User avatar

Joined: Thu Feb 24, 2005 4:29 pm
Posts: 40
Location: Groningen, NL
Very nice, thanks a lot!

_________________
This is my sick nature...


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jul 20, 2005 1:08 pm 
Offline
Cacti User
User avatar

Joined: Mon Dec 13, 2004 5:14 pm
Posts: 141
Location: Jurmala, Latvia
Feel free to modify and upload updated version. This is somehow draft as I am not an artist nor cacti guru. There should be a lot more things to edit. Custom user editable title is one of them but I cannot figure out how to make it.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 11, 2009 4:25 am 
Offline

Joined: Sun Jan 11, 2009 4:16 am
Posts: 1
I have cacti on one server and gateway with ipfw rules on another (snmp-generic host = snmpd & snmptrapd on freebsd 7.0).
I did all that:
Code:
1. extract ipfw_bidirectional.pl in scripts folder
2. import cacti_graph_template_freebsd_ipfw_bidirectional_rule_counter.xml through web interface
3. make IPFW rules
4. make new graph

But don't have any data of course. Can somebody help me?

Or I need to write my own MIB and receive it on cacti server by OID?


Top
 Profile  
 
 Post subject:
PostPosted: Tue May 12, 2009 2:42 pm 
Offline

Joined: Tue May 12, 2009 2:30 pm
Posts: 5
Instigater wrote:
Feel free to modify and upload updated version. This is somehow draft as I am not an artist nor cacti guru. There should be a lot more things to edit. Custom user editable title is one of them but I cannot figure out how to make it.

Here it is a little improved version. It works only on the local machine.
The main differences from the original are:
- it is possible to specify multiple ipfw rule numbers in a comma separated list, both for input and output rulesets. For example, you could specify at input rules list:
Code:
100,200,300
, and for output
Code:
400,500,600,700
. Of course, the number of rules used tor output does not need to be the same as the number of rules used for input
- if there are multiple subrules with the same rule number, they will be counted.
- small customizations to graph templates.
Since I did not needed it, I didn't added support for remote execution (via SNMP / SSH)

You must specify in the data source the following:
- ipfw rule numbers used to count 'input'
- numbers of ipfw rules used to count output.

These templates also include:
- multiply by 10240 (to display nicely packets rate)
- multiply by 10240, negative
- turn bytes into bits, negative


Attachments:
File comment: Sample graph
sample1.png
sample1.png [ 18.06 KiB | Viewed 17190 times ]
File comment: Cacti IPFW template and .xml, for local machine only (script execution, no SNMP)
IPFW Rules counters, consolidated.zip [4.91 KiB]
Downloaded 688 times
Top
 Profile  
 
 Post subject: Problems to create de rrd file
PostPosted: Wed Nov 11, 2009 1:21 pm 
Offline

Joined: Thu Jul 23, 2009 5:31 pm
Posts: 3
Thanks for all that helped to do this post XD.
I followed the first post (Instigater, thanks a lot ^^), including the .pl script on my cacti server (debian 5.0) and importing de xml file by web interface. But it seems that cacti can't get the counters information, the rrdtool says nothing. see the image below:

Image

Someone knows what can i do to resolve this?


Top
 Profile  
 
 Post subject: Re: Problems to create de rrd file
PostPosted: Wed Nov 11, 2009 1:47 pm 
Offline

Joined: Tue May 12, 2009 2:30 pm
Posts: 5
danielfco wrote:
Thanks for all that helped to do this post XD.
I followed the first post (Instigater, thanks a lot ^^), including the .pl script on my cacti server (debian 5.0) and importing de xml file by web interface. But it seems that cacti can't get the counters information, the rrdtool says nothing. see the image below:

Image

Someone knows what can i do to resolve this?

I see on your post that you try to use this template to retrieve IPFW counters on a debian server. There are at least two factors which may prevent this template/script from working: IPFW is available only for FreeBSD/MacOS systems and the current script can only be executed locally on a FreeBSD machine, the same hosting the Cacti scripts (the Cacti server). Perhaps you need to adjust the scripts so you can retrieve iptables counters and (if you need) add remote data fetching functionality via SNMP if the machine you are measuring is not the Cacti server. That may need extra SNMP configuration and some scripts to be included into SNMP configuration of the remote machine, and, of course, some template adjustments to match yout new setup.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Nov 11, 2009 2:01 pm 
Offline

Joined: Thu Jul 23, 2009 5:31 pm
Posts: 3
hehe, fast reply, thanks. Well, the Cacti server is a Debian, but the graph that i'm trying to do is a Freebsd server. this script works with this topology (i mean, cacti debian server and freebsd as client)?


Top
 Profile  
 
 Post subject:
PostPosted: Wed Nov 11, 2009 2:30 pm 
Offline

Joined: Tue May 12, 2009 2:30 pm
Posts: 5
It will work if you implement a method to retrieve the IPFW counters via SNMP or other means Cacti can use. Probably, you will need to create some script for a specific rule, then include it into FreeBSD's server SNMP configuration, followed by remote data retrieval by SNMP. Then, the cacti template will need some adjustments too...
Perhaps you will get some clues from a linux TC graphing script how to do it.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Nov 12, 2009 7:17 am 
Offline

Joined: Thu Jul 23, 2009 5:31 pm
Posts: 3
i'll see this link that you mencioned, but i'm think it's better to use the cacti on a Freebsd server, right? i say this because i don't need to use any modification or adaptation if i use a bsd server correct?


Top
 Profile  
 
 Post subject:
PostPosted: Thu Nov 12, 2009 7:26 am 
Offline

Joined: Tue May 12, 2009 2:30 pm
Posts: 5
danielfco wrote:
i'll see this link that you mencioned, but i'm think it's better to use the cacti on a Freebsd server, right? i say this because i don't need to use any modification or adaptation if i use a bsd server correct?


The true matter here is 'how do you retrieve counters information from a remote machine?'. The script above (IPFW counters) is only able to retrieve data locally, not remote. It is written to run on FreeBSD machines, whether they are or not Cacti servers. The example mentioned (linux TC) gives you a strong base to start from, so you can build (and share, maybe) a script to be executed by SNMPD and a Cacti template giving the ability to retrieve data remotely. That's what open source is about, you can modify it to suit your needs.


Top
 Profile  
 
 Post subject: Re: FreeBSD IPFW rule counter
PostPosted: Fri Jan 27, 2012 6:35 am 
Offline

Joined: Thu Jan 26, 2012 8:00 pm
Posts: 1
at first - sorry my english.

puller.php must be run at the root (default is cacti) in cron, because user cacti don't have permition to ipfw

change in ipfw_bidirectional.pl
Code:
$in = `ipfw show | grep $ARGV[0]`; -> $in = `ipfw show $ARGV[0]`;
$out = `ipfw show | grep $ARGV[1]`; -> $out = `ipfw show $ARGV[1]`;


and happiness will fall for you a big piece


Top
 Profile  
 
 Post subject: Re: FreeBSD IPFW rule counter
PostPosted: Fri Jan 27, 2012 7:26 am 
Offline

Joined: Tue May 12, 2009 2:30 pm
Posts: 5
It will run with any user, just use /usr/ports/security/sudo, use 'visudo' and let that user execute /sbin/ipfw.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group