Re: ipa and pf

[Rob Connon <rob_(_at_)_vfs_(_dot_)_com>]

hey guys,

I setup ipa to do some basic accounting on one of our Obsd boxes running 3.1.

I am going to try and explain this to the best of my capabilities....

I am trying to monitor traffic incoming and outbound for the internal network

i set up ipa to pull the stats off the internal interface to get accurate 
traffic flowing into the private network.

The rules are as follows....

pf.conf	

#Default Pass in and out rules (internal interface)
pass in on $int all 
pass out on $int all keep state

And in the ipa.conf file i have

global {

    update_db_time = 2h
    append_db_time = 4h
    maxchunk = 1G
#    db_owner = ipa:ipa
    db_group = ipa
    lock_wait_time = 1m
}

rule incoming {
    info = incoming traffic from inet.
    pf = 0
}

rule outgoing {
   info = all out bound traffic
   pf = 1
}

The problem is when i run ipastat -R outgoing my usage is high...like 600+MB 
per day and when running ipastat -R incoming the usage is minimal.

The question i have is.. with the rule "pass out on $int all keep state"
If the TCP connection is established from the internal network and the keep 
state rule is applied creating an entry in the  state table..is all traffic 
considered outbound since the tcp connection was established on the outbound? 
lets say most of the traffic is coming from the destination for that specific 
connection?

Hope this makes enough sense...

Thanks in advance....

-- 

Regards,

Robert J Connon
Senior Systems Administrator
Vancouver Film School
T (604) 685-6331 x130
F (604) 685-6317
W  <http://www.vfs.com> http://www.vfs.com

Vancouver Film School. Creative. Disciplined. Focused.

LDAP://cn=rob,ou=informationtechnology,ou=newmedia,dc=vfs,dc=420