info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Can IP addresses be partially wildcarded w/ `ipfstat -t'?
8 views
Skip to first unread message
Darren Reed
Feb 12, 2012, 4:47:38 PM2/12/12
to
On 26/08/2011 6:48 PM, Michael T. Davis wrote:
> I'm running...
>
> ipf: IP Filter: v4.1.29 (396)
> Kernel: IP Filter: v4.1.29
> Running: yes
> Log Flags: 0 = none set
> Default: pass all, Logging: available
> Active list: 0
> Feature mask: 0x10e
>
> ..under NetBSD 5.1 release i386. I was wondering if there's a way to
> partially wildcard an IP address specified with -D or -S as options to
> `ipfstat -t'? For example, this will tell me about SSH connections:
>
> ipfstat -t -P tcp -D any,22
>
> What if I'm only interested in such traffic coming from a particular subnet?
> -D/-S doesn't seem to accept CIDRs and/or <addr/mask>. The following kinds
> of queries would be helpful:
>
> ipfstat -t -P tcp -S 192.168.2.0/24,any -D any,22
>
> ipfstat -t -P tcp -S 10.2.*.*.any -D any,22
>
> ipfstat -t -P tcp -S 172.16.4.0/255.255.255.240,any -D any,22
No, -S/-D only support exact IP matching...
and I'm not that inclined to expand it further as the syntax
doesn't have room to grow in a meaningful way.
>
> ..Maybe in ipf v5.11?
Yes. If you are using 5.1.1, try this:
ipfstat -m 'ip.src=10.2.0.0/16;' -t -P tcp
It's not very sophisticated and needs more work but
in which direction I'm not yet sure, vis a vis:
https://sourceforge.net/tracker/?func=detail&aid=3487103&group_id=169098&atid=849056
> Also, is the only way to reset the state statistics reported by
> `ipstat' or `ipstat -s' to reboot?
Not yet...
https://sourceforge.net/tracker/?func=detail&aid=3487102&group_id=169098&atid=849056
Darren
> I'm running...
>
> ipf: IP Filter: v4.1.29 (396)
> Kernel: IP Filter: v4.1.29
> Running: yes
> Log Flags: 0 = none set
> Default: pass all, Logging: available
> Active list: 0
> Feature mask: 0x10e
>
> ..under NetBSD 5.1 release i386. I was wondering if there's a way to
> partially wildcard an IP address specified with -D or -S as options to
> `ipfstat -t'? For example, this will tell me about SSH connections:
>
> ipfstat -t -P tcp -D any,22
>
> What if I'm only interested in such traffic coming from a particular subnet?
> -D/-S doesn't seem to accept CIDRs and/or <addr/mask>. The following kinds
> of queries would be helpful:
>
> ipfstat -t -P tcp -S 192.168.2.0/24,any -D any,22
>
> ipfstat -t -P tcp -S 10.2.*.*.any -D any,22
>
> ipfstat -t -P tcp -S 172.16.4.0/255.255.255.240,any -D any,22
No, -S/-D only support exact IP matching...
and I'm not that inclined to expand it further as the syntax
doesn't have room to grow in a meaningful way.
>
> ..Maybe in ipf v5.11?
Yes. If you are using 5.1.1, try this:
ipfstat -m 'ip.src=10.2.0.0/16;' -t -P tcp
It's not very sophisticated and needs more work but
in which direction I'm not yet sure, vis a vis:
https://sourceforge.net/tracker/?func=detail&aid=3487103&group_id=169098&atid=849056
> Also, is the only way to reset the state statistics reported by
> `ipstat' or `ipstat -s' to reboot?
Not yet...
https://sourceforge.net/tracker/?func=detail&aid=3487102&group_id=169098&atid=849056
Darren
0 new messages