[ login ]
Path: Root » FreeBSD » Traffic Report

Table of contents

Applications used

Updated

  • 13 jan 2005 - Upgraded for IPA v2

Traffic Report off the Firewall

Howto create traffic graphs with a Multi Router Traffic Grapher (MRTG) configuration by collecting information out the FreeBSD IPFW firewall, using the Pluggable Accounting System (IPA).

Introduction

Afther reading this howto you can use MRTG to create traffic graphs and extract IP Accounting information from the FreeBSD firewall. The bandwith usage of your users can be monitored both automated and manualy. The access to the internet can be blocked or limited (todo feature) automatically based on usages rules. Screenshots of the MRTG traffic graphs are available at the end of this section.

Before reading this howto, Firewall Protection needs to be completed or, at least, its summary . Thus, working FreeBSD firewall with a dynamic traffic shaper is required, because this howto interacts with the firewall rules 5x499 and 5x999.

Why impose limits on users? Nothing comes for free. This is also true for the traffic that is transmit or received over the internet. Your internet service provider (ISP) pays for the traffic that goes over the backbone of the internet. This is the reason why most choose to maintain some form of traffic limits. Limits can be set, differently for each user, to make sure that the overall use doesn't cross the limit imposed by your ISP. If someone reaches there limit then there cut off completly or just limited in the available bandwith.

Why produce traffic graphs? Users don't like limits, but being able to see there usage makes it a little better to accept. They then have a tool they can use to avoid being cut of the internet. You can also use traffic graphs to stimulate the users not to cross the line and thus avoid hard limits and setting up limits that are higher for comfort instead or perhaps not setting up limits at all.

Notes

Perl is requires to be installed for the second part of this howto. Without it the MRTG traffic graphs can not be produced. This is the default case for FreeBSD. If you skipped it duing the installation of FreeBSD do so now.

Summary

  1. Read the howto called Firewall Protection or its summary .
  2. The first step is to install IPA. This can be done by executing these commands as root: 
    cd /usr/port/sysutils/ipa
make install && make clean
cd /usr/ports/databases/ipa_sdb
make install && make clean
cd /usr/ports/net/ipa_ipfw
make install && make clean

    cd /usr/local/etc/rc.d/
cp ipa.sh.sample ipa-run.sh
chmod 755 ipa-run.sh
  3. Next IPA needs to be configured. Copy my ipa.conf , ipa.user and ipastat.conf to /usr/local/etc/ and edit it for your situation. 
    cd /usr/local/etc/
fetch http://alex.kruijff.org/files/freebsd/ipa.conf
fetch http://alex.kruijff.org/files/freebsd/ipa.user
fetch http://alex.kruijff.org/files/freebsd/ipastat.conf
  4. The second step is to install MRTG, so that traffic graphs can be produced with it. This can be done by executing these commands as root: 
    cd /usr/ports/net/mrtg
make install && make clean
  5. Cron created MRTG traffic graphs every so often. This task is delicated to MRTG and needs to pass mrtg.cfg . MRTG calls ipa-rate.pl and ipa-total.pl , in order to fetch the current and total bandwidth use. Copy these tree files to /usr/local/etc/mrtg/ and modify mrtg.cfg to suit your needs. Then add the following line to roots crontab: 
    */5 * * * * /usr/local/bin/mrtg /usr/local/etc/mrtg/mrtg.cfg \
--logging /var/log/mrtg.log

IPA

The goal in this chapter is to collect traffic information out the FreeBSD firewall. Then setup limits for users or groups that trigger a firewall rule that blocks internet access if the limit is reached. The application that does all this is . The application can be installed with the following steps by root. 

cd /usr/port/sysutils/ipa
make install && make clean
cd /usr/ports/databases/ipa_sdb
make install && make clean
cd /usr/ports/net/ipa_ipfw
make install && make clean

Having installed isn't going to do it. We also need it to start when your computer boots. We can accomplice this by placing a startup script in /usr/loca/etc/rc.d/. I use ipa-run.sh instead of ipa.sh in the example below, because otherwise ipa.sh seems to be deleted when upgrading ipa. 

cd /usr/local/etc/rc.d/
cp ipa.sh.sample ipa-run.sh
chmod 755 ipa-run.sh

The final step of this chapter is configuring it all with the file ipfw.conf . I've included a sample that works with the FreeBSD firewall as setup with Firewall Protection . This includes removing the temporary block rules, setting limits and actions that must be taken when a limit is reached. The later involves adding a temporary blocking rule for that user until the end of the month. 

cd /usr/local/etc/
fetch http://alex.kruijff.org/files/freebsd/ipa.conf
fetch http://alex.kruijff.org/files/freebsd/ipa.user
fetch http://alex.kruijff.org/files/freebsd/ipastat.conf

You can now test if IPA runs without errors with 'ipa -d'. If ipa gives the error 'config error: /usr/local/etc/ipa.conf:5: parameter "ac_mod": module ipa_ipfw.so must not be pthread safe' then open /var/db/ports/ipa_ipfw/options file in you editor and change 'WITH_PTHREAD=true' in to 'WITHOUT_PTHREAD=true' and do 'portupgrade -f ipa_ipfw'.

MRTG

Previously we have collected the traffic information from FreeBSD firewall with traffic graphs. These can then be shown to the users with a webserver. The following command will install the application. 

cd /usr/ports/net-mgmt/mrtg
make install && make clean

Next is the configuring collects it firewall rules information for the traffic graphs either by using SMNP or a call to a script. The configuration file mrtg.cfg contains the location of the script that needs to be called. This is how ipa-total.pl gets called. Execute the following commands to install the configuration files. 

cd /usr/local/etc/mrtg/
fetch http://alex.kruijff.org/files/freebsd/mrtg.cfg
fetch http://alex.kruijff.org/files/freebsd/ipa-rate.pl
fetch http://alex.kruijff.org/files/freebsd/ipa-total.pl

Now open mrtg.cfg . The configuration example writes the traffic graphs in the directory /disk/web/mrtg. To change this look for the following line and modify it. 

WorkDir: /disk/web/mrtg

Finally, manually. Just copy the command. 

*/5 * * * * /usr/local/bin/mrtg /usr/local/etc/mrtg/mrtg.cfg --logging /var/log/mrtg.log

Final notes

Having limits and traffic graphs helps you staying under the limitations set by your ISP. I've tried to give you an outline on how the setup . I didn't go into the detail, but hoped you got enough guidance and support from the configuration samples helpful instead. In addition, I like to encourage you to contact me, if you have questions or feedback about this howto. I can be contact my though the feedback link on top.