[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pfctl, counters, labels, and a headache.

> If this is the case, doesn't anybody count incoming and
> outgoing traffic on a protocol basis?

I really would like to know how others do ip accounting. Is anybody using ipcad? Something else using bpf?

I dislike doing ip accounting with pf as this clutters my pf ruleset. Suppose you have something like:

 pass out on $if proto tcp from $host_a to $host_b port 80 keep state

Why would I extend this simple rule by at least one additional matching 'pass in' rule just for accounting? This adds complexity to the ruleset without any additional gain of security, doesn't it? BTW, I did not check the pf sources, but if the state is created by the outbound traffic and used for inbound traffic, exactly when will the 'pass-in' rule be counted?