On Wed, Jan 5, 2011 at 10:15 AM, Henning Brauer <[email protected]> wrote: > * Bernd Bornkessel <[email protected]> [2011-01-05 11:59]: >> In pf's state table I see two records - one for each direction of the >> connection. > > and the accumulated data from the state is what pflow exports, so it > is all as intended. > > usually, you do your real filtering on one side of the firewall > (usually there are areas that can be called "inside" and "outside" - > tho in some cases, there are many many inside networks, countless > vlans in my case). the other side you do some antispoof and firewall > self-protection. pick one side for pflow.
In my case I consider all sides of the firewall hostile - I want to protect the internet from the machines on my network just as much as I want to protect those machines from the internet. So there isn't really an inside and outside. I also want netflow for all traffic that goes through the firewall - not just to/from the internet but also dmz to dmz. My pf rule set looks something like this: block in log all pass out all keep state (pflow) pass in on $dmz01 inet from ($dmz01:network) to ($dmz13:network) pass in on $ifnet inet from any to ($dmz06:network) Everything is blocked from entering the firewall unless explicitly allowed by a 'pass in' rule. Any connection that is allowed in also needs to be let out - the single 'pass out' rule is a good place to collect pflow. Anything that goes through the firewall is collected and anything that goes out from the firewall is collected. If you want to collect everything that goes into the firewall you need to add 'pass in keep state(pflow)' rules on each service like this: # allow SSH into firewall from dmz20 pass in on $dmz20 inet proto tcp from ($dmz20:network) to ($dmz20) port 22 keep state(pflow) Daniel
