Discussion:
Can IP addresses be partially wildcarded w/ `ipfstat -t'?
(too old to reply)
Michael T. Davis
2011-08-26 16:48:43 UTC
Permalink
I'm running...

ipf: IP Filter: v4.1.29 (396)
Kernel: IP Filter: v4.1.29
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x10e

...under NetBSD 5.1 release i386. I was wondering if there's a way to
partially wildcard an IP address specified with -D or -S as options to
`ipfstat -t'? For example, this will tell me about SSH connections:

ipfstat -t -P tcp -D any,22

What if I'm only interested in such traffic coming from a particular subnet?
-D/-S doesn't seem to accept CIDRs and/or <addr/mask>. The following kinds
of queries would be helpful:

ipfstat -t -P tcp -S 192.168.2.0/24,any -D any,22

ipfstat -t -P tcp -S 10.2.*.*.any -D any,22

ipfstat -t -P tcp -S 172.16.4.0/255.255.255.240,any -D any,22

...Maybe in ipf v5.11?

Also, is the only way to reset the state statistics reported by
`ipstat' or `ipstat -s' to reboot?

Regards,
Mike
Jim Klimov
2011-08-27 23:44:24 UTC
Permalink
Forwarding Mike's reply to the list - as I seem to have
responded in private to a public discussion. Here follows:

-------- Èñõîäíîå ñîîáùåíèå --------
Òåìà: Re: Can IP addresses be partially wildcarded w/ `ipfstat -t'?
Äàòà: Sat, 27 Aug 2011 13:55:52 -0400 (EDT)
Lame reply (since I don't know about this feature in IPF): you can pipe
the output to "egrep", "awk" or "perl -e" -- in order to match the IPs to
a certain regexp string. Not very simple or elegant, but solves your
problem =)
Also this way you can more easily match IP ranges which are not
CIDR subnets.
I'm fairly sure this won't work, since the output from `ipfstat -t'
is presented in the same way as `top'. That is, it is designed for dynamic
application-driven screen updating. As a trivial test, I tried this...

ipfstat -t -P tcp -D any,22|awk '$2 != "<firewall-ip>,22"'

...but all I could see on the screen was the heading from the `ipfstat -t'
display:

[begin display]
<hostname> - IP Filter: v4.1.29 - state top 13:44:45

Src: 0.0.0.0, Dest: 0.0.0.0,22, Proto: tcp, Sorted by: # bytes
[end display]

On a related note, another option came to mind. It would be
particularly useful to exclude a given host (or network range specified by
CIDR or addr/mask). If we take the above pipeline as an example, this might
be expressed (assuming `ipfstat -t' supported it and the IP address of the
firewall was 192.168.0.1) as...

ipfstat -t -P tcp -D !192.168.0.1,22

The scope of "!" would be limited to only the IP address or port number, so
that the output would be to any destination on TCP port 22 except 192.168.0.1.
Alternatively, if you wanted to look at all traffic destined for the firewall
except SSH...

ipfstat -t -P tcp -D 192.168.0.1,!22

(The syntax "!any" [and equivalents] for address or port number would be
disallowed.)

Regards,
Mike

Loading...