NetBSD


Yor
Security

MRTG Graphs per IP without SNMP

Contents

· Introduction
· Used programs
· Configure your firewall
· Get and configure the fetch script
· Configure MRTG
· Result

Introduction

Many people with a colocated or dedicated box would like to see what the actual traffic is per IP, instead of the complete NIC.
I have written a script for FreeBSD with IPFW to accomplish this task.
This howto is written assuming that you have knowledge of how to use the OS and how the firewall works. Also a general sense of how firewalls work could be handy.

User programs

IPFW
You will have to compile this into your kernel, read the help pages at FreeBSD to find out how. Or wait till I have added a howto on building a custom kernel.
MRTG
Install it out of the ports:
# cd /usr/ports/net/mrtg
# make install clean
Perl
Should normally be installed, if it is not installed, get it out of the ports:
# cd /usr/ports/lang/perl5
# make install clean

Configure your firewall

For IPFW make a ruleset with one rule per IP for counting incoming packets and one rule per IP for counting outgoing packets.
For example:
1000 count ip from any to 192.168.0.1 via rly0 in
1001 count ip from 192.168.0.1 to any via rly0 out
1002 count ip from any to 192.168.0.8 via rly0 in
1003 count ip from 192.168.0.1 to any via rly0 out

- Note -
It is recommended to give those counting rules a standard set of numbers, so if you machine reboot, you do not have to update your MRTG configuration.

The firewall configuration is done now, let's go further with the script you need.

Get and configure the fetch script

Before you start configuring MRTG, please download this script: fwstatreader.pl
Put this file in a path where the root user can access it, and preferably noone else.
Change the file privileges to 0700.
Now open the file with your favourite editor, and check out the first few lines to check if the standard settings are correct. On most systems the standard will do.
Ofcourse check also the path to Perl at the very first line of the file.

Configure MRTG

Last part is now to let MRTG fetch the statistics.
Foreach IP you want graphs you add a standard set of lines to MRTG.
Only thing you replace is the "Target[name]: sometext" line. You replace it with:
Target[name]: `/path/to/fwstatreader.pl incoming-rule outgoing-rule bytes|packets`

- Note -
The incoming-rule and outgoing-rule are the complete (5 digits) linenumber of the rule in IPFW. So if you want to fetch rule 1000 for incoming, you specify 01000.

The difference between bytes and packets is that packets is purely how many packets have been send, which matched that rule, though it does not tell anything about the size of those packets. I guess most people would like to see the actual traffic going over the interface, for that use bytes.
Your MRTG configuration is done, MRTG should start generating graphs now.

Result

Well if you actually did all written above then you should also be able to see the results in a few minutes. Though if you did not do it, below a little example of the generated output (daily graph only at this moment).

Example MRTG Graph

Valid XHTML 1.1!

Valid CSS!

FreeBSD
The power of knowledge is the understanding of your knowledge

auke at yorsec dot nl