Network question.

dramcio · Feb 4, 2013

Hello.

I try to find program which can:

a) See all connections to my PC on X interface
b) See all connections to my PC and showing packets send/out to my PC
c) See all connections to my PC on X port by Y interface
d) if I can from this program add connection to firewall (block it) it will be nice

Google doesn't shows me answers for these questions.

Regards

P.S ~~Freebsd~~ FreeBSD 9.0

abhay4589 · Feb 4, 2013

You don't need anything Special there, It's very simple.

a) Saw all connections to my pc on X interface
b) See all connections to my pc and showing packets send/out to my pc
c) See all connections to my pc on X port by Y interface ;P

=> You can use 'netstat' to view the Connections.
[CMD="netstat -n -p tcp"][/CMD]
Use some tool like 'vnstat' to view traffic over long period of time.
It will show you traffic as live feed.

Since I am assuming you don't want anything that can ruin your network, You shouldn't opt out for last one. If you want to go for it, then Go for IDS/IPS called 'Snort' you will be able to insert rules dynamically but I think it will be overkill.

dramcio · Feb 4, 2013

I have installed vnstat.

It's a nice program, but tell me how to find IPs who send me the most packets?

And rx = download, tx= upload?

Orum · Feb 4, 2013

Something like net-mgmt/iftop might be what you're looking for.

dramcio · Feb 4, 2013

iftop it is! Thanks.

Is it possible to automatically block someone who sends me > 1000 packets?
ipfw add table 1 ip

But how to make this script?

abhay4589 · Feb 5, 2013

It is possible with Packet firewall,

Code:

pass in on $ext_if proto tcp to $web_server \
    port www keep state \
    (max 200, source-track rule, max-src-nodes 100, max-src-states 3)

With Ipfw you might need to look at QoS options.

dramcio · Feb 5, 2013

abhay i need to add this

Code:

pass in on $ext_if proto tcp to $web_server \
    port www keep state \
    (max 200, source-track rule, max-src-nodes 100, max-src-states 3)

to firewall.rules ?
Where i can set max packets send to me from one ip ?

abhay4589 · Feb 6, 2013

You mentioned you are using 'ipfw' but this is 'Packet filter' rule set.
You can't add it just as is.
For 'ipfw' it would be:
This will block If someone is requesting content from you.

Code:

ipfw -q add 35 allow tcp from any[OR ANY IP THAT YOU WANT TO BLOCK] to me 80 in via [INTERFACE NAME] setup limit src-addr 1[LIMIT]

For Limiting your LOCALLAN use something like this.

Code:

ipfw add allow tcp from my-net/24 to any  limit src-addr 10

For more info refer to: FreeBSD Handbook
Note: All these changes can be made on CMD or '/etc/ipfw.rules'