'Fwd: Re: Can IP addresses be partially wildcarded w/ `ipfstat -t'?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Fwd: Re: Can IP addresses be partially wildcarded w/ `ipfstat -t'?
From:       Jim Klimov <jimklimov () cos ! ru>
Date:       2011-08-27 23:44:24
Message-ID: 16248_1314489193_4E598369_16248_19535_1_4E598158.70508 () cos ! ru
[Download RAW message or body]

Forwarding Mike's reply to the list - as I seem to have
responded in private to a public discussion. Here follows:

-------- Исходное сообщение --------
Тема: 	Re: Can IP addresses be partially wildcarded w/ `ipfstat -t'?
Дата: 	Sat, 27 Aug 2011 13:55:52 -0400 (EDT)
От: 	Michael T. Davis <DAVISM@ecr6.ohio-state.edu>
Кому: 	jim@cos.ru



At 10:41:03.02 on 27-AUG-2011 in message<4E5901E5.6060108@cos.ru>, you wrote:

>Lame reply (since I don't know about this feature in IPF): you can pipe
>the output to "egrep", "awk" or "perl -e" -- in order to match the IPs to
>a certain regexp string. Not very simple or elegant, but solves your
>problem =)
>
>Also this way you can more easily match IP ranges which are not
>CIDR subnets.
>

	I'm fairly sure this won't work, since the output from `ipfstat -t'
is presented in the same way as `top'.  That is, it is designed for dynamic
application-driven screen updating.  As a trivial test, I tried this...

            ipfstat -t -P tcp -D any,22|awk '$2 != "<firewall-ip>,22"'

...but all I could see on the screen was the heading from the `ipfstat -t'
display:

[begin display]
                       <hostname>  - IP Filter: v4.1.29 - state top       13:44:45

Src: 0.0.0.0, Dest: 0.0.0.0,22, Proto: tcp, Sorted by: # bytes
[end display]

	On a related note, another option came to mind.  It would be
particularly useful to exclude a given host (or network range specified by
CIDR or addr/mask).  If we take the above pipeline as an example, this might
be expressed (assuming `ipfstat -t' supported it and the IP address of the
firewall was 192.168.0.1) as...

                       ipfstat -t -P tcp -D !192.168.0.1,22

The scope of "!" would be limited to only the IP address or port number, so
that the output would be to any destination on TCP port 22 except 192.168.0.1.
Alternatively, if you wanted to look at all traffic destined for the firewall
except SSH...

                       ipfstat -t -P tcp -D 192.168.0.1,!22

(The syntax "!any" [and equivalents] for address or port number would be
disallowed.)

Regards,
Mike


[Attachment #3 (text/html)]

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=windows-1251">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <tt>Forwarding Mike's reply to the list - as I seem to have <br>
      responded in private to a public discussion. Here follows:<br>
    </tt><br>
    -------- Исходное сообщение --------
    <table class="moz-email-headers-table" border="0" cellpadding="0"
      cellspacing="0">
      <tbody>
        <tr>
          <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Тема: </th>
          <td>Re: Can IP addresses be partially wildcarded w/ `ipfstat
            -t'?</td>
        </tr>
        <tr>
          <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Дата: </th>
          <td>Sat, 27 Aug 2011 13:55:52 -0400 (EDT)</td>
        </tr>
        <tr>
          <th align="RIGHT" nowrap="nowrap" valign="BASELINE">От: </th>
          <td>Michael T. Davis <a class="moz-txt-link-rfc2396E" \
href="mailto:DAVISM@ecr6.ohio-state.edu">&lt;DAVISM@ecr6.ohio-state.edu&gt;</a></td>  \
</tr>  <tr>
          <th align="RIGHT" nowrap="nowrap" valign="BASELINE">Кому: </th>
          <td><a class="moz-txt-link-abbreviated" \
href="mailto:jim@cos.ru">jim@cos.ru</a></td>  </tr>
      </tbody>
    </table>
    <br>
    <br>
    <pre>At 10:41:03.02 on 27-AUG-2011 in message <a class="moz-txt-link-rfc2396E" \
href="mailto:4E5901E5.6060108@cos.ru">&lt;4E5901E5.6060108@cos.ru&gt;</a>, you wrote:

&gt;Lame reply (since I don't know about this feature in IPF): you can pipe
&gt;the output to "egrep", "awk" or "perl -e" -- in order to match the IPs to
&gt;a certain regexp string. Not very simple or elegant, but solves your
&gt;problem =)
&gt;
&gt;Also this way you can more easily match IP ranges which are not
&gt;CIDR subnets.
&gt;

	I'm fairly sure this won't work, since the output from `ipfstat -t'
is presented in the same way as `top'.  That is, it is designed for dynamic
application-driven screen updating.  As a trivial test, I tried this...

           ipfstat -t -P tcp -D any,22|awk '$2 != "&lt;firewall-ip&gt;,22"'

...but all I could see on the screen was the heading from the `ipfstat -t'
display:

[begin display]
                      &lt;hostname&gt; - IP Filter: v4.1.29 - state top       \
13:44:45

Src: 0.0.0.0, Dest: 0.0.0.0,22, Proto: tcp, Sorted by: # bytes
[end display]

	On a related note, another option came to mind.  It would be
particularly useful to exclude a given host (or network range specified by
CIDR or addr/mask).  If we take the above pipeline as an example, this might
be expressed (assuming `ipfstat -t' supported it and the IP address of the
firewall was 192.168.0.1) as...

                      ipfstat -t -P tcp -D !192.168.0.1,22

The scope of "!" would be limited to only the IP address or port number, so
that the output would be to any destination on TCP port 22 except 192.168.0.1.
Alternatively, if you wanted to look at all traffic destined for the firewall
except SSH...

                      ipfstat -t -P tcp -D 192.168.0.1,!22

(The syntax "!any" [and equivalents] for address or port number would be
disallowed.)

Regards,
Mike
</pre>
  </body>
</html>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic