The following SNMP MIBs and the accompanying code that extend the Net-SNMP daemon allow administrators to query information from various OpenBSD subsystems. Currently, stats can be queried from:

  • Packet Filter
  • The kernel sensors framework
  • Common Address Redundancy Protocol (CARP)

These MIBs are being integrated into OpenBSD's own snmpd. OpenBSD 5.1 has the kernel sensor and CARP MIBs. OpenBSD 5.1-current has and the future 5.2 release will have the pf MIB. See this post for a bit more detail.

Table of Contents

SNMP Introduction

SNMP is the Simple Network Management Protocol. It's used to manage nodes (routers, switches, servers, etc) on an IP network. SNMP allows an administrator to query the current status of a node, collect data for analysis and historical reasons, and to make configuration changes to the node. SNMP also has provisions for a node to send an alarm or a "trap" to a central monitoring station to alert the administrator to possible trouble.

When the node being monitored is a router or firewall, some of the more commonly monitored objects include:

  • Interface bytes per second
  • Interface packets per second
  • Bytes passed/blocked
  • Packets passed/blocked
  • CPU usage
  • Memory usage
  • State table size

The list of objects that can be monitored by SNMP is stored in a Management Information Base, or MIB. The MIB defines the name of the object, its data type (integer, string, etc) and the object's location within the MIB heirarchy.

Packet Filter MIB

The PF MIB allows for the querying of objects relating to OpenBSD's Packet Filter firewall software. The following information can be queried from the MIB:

  • General info (is PF enabled, the runtime, the hostid)
  • Packet counters
  • State table counters
  • Log interface counters
  • Source track counters
  • Memory limits
  • Protocol timeouts
  • Interface stats (number of rules, number of states, bytes passed/blocked, packets passed/blocked, etc)
  • Table stats (number of addresses, evaluations, bytes passed/blocked, packets passed/blocked, etc)
  • Table content stats (bytes passed/blocked and packets passed/blocked for each address/network within a table)
  • Filter rule label counters
    • This feature was contributed by Sven Ingebright Ulland
  • pfsync(4) protocol counters

The limitations of the MIB:

  • No support for anchors
  • No support for any queueing statistics

The MIB tree can be viewed here: PF MIB tree

A sample walk of the MIB can be seen here: PF MIB walk

Kernel Sensors MIB

The Kernel Sensors MIB allows for querying information from the OpenBSD kernel sensors. The kernel sensors provide data from various environmental sensors, disk drives, etc.

The MIB reports data in much the same way as the "sysctl hw.sensors" command does.

The MIB tree can be viewed here: Sensors MIB tree

A sample walk of the MIB can be seen here: Sensors MIB walk

CARP MIB

The CARP MIB allows for querying the status of carp(4) interfaces. It can be used to determine how many CARP groups are configured on a node, what their state is, and the various operational settings of the CARP group, including advskew, advbase and the carpdev.

The limitations of the MIB:

  • The value of the CARP demote counter associated with interface groups is not handled.
  • The IP address(es) assigned to the CARP interface is not returned. This can be queried in the ifTable.
  • When doing load balancing via CARP, the "carpnodes" are not shown via the MIB.

The MIB tree can be viewed here: CARP MIB tree

A sample walk of the MIB can be seen here: CARP MIB walk

Download

The MIBs are available as a patch to the OpenBSD net-snmp port.

Earlier releases only included the PF MIB. These are listed below.

The pf-mib39 release is backwards compatible with OpenBSD 3.8, however the diff will not apply cleanly to the OpenBSD 3.8 net-snmp port. You will have to resolve any failures by hand.

The OLD, ucd-snmp patch is still available here: pf-mib-ucd.diff. This diff works with ucd-snmp 4.2.6 on OpenBSD 3.5 and 3.6.

Installation

Perform these steps to install the MIB:

  1. Retrieve the net-snmp port from the OpenBSD ports system (See the OpenBSD FAQ for details)
  2. Extract the patch tarball
  3. Apply the included patch
  4. Build and install the port

Example:

cd /usr/ports/net/net-snmp
ftp https://www.packetmischief.ca/files/openbsd/snmp/obsd-mibsXX.tar
tar xf obsd-mibsXX.tar
patch < obsd-mibs.diff
make install

The MIBs are now installed as part of the net-snmp port.

Usage

The path to the MIBs is .1.3.6.1.4.1.64512 which translates to iso.org.dod.internet.private.enterprises.openBSD. 64512 is a somewhat arbitrarily chosen number that is not currently assigned.

To see what objects are available in the MIB you can either walk the MIB using an SNMP client...

snmpwalk -v2c -c <community> <host> OPENBSD-PF-MIB::pfMIBObjects
snmpwalk -v2c -c <community> <host> OPENBSD-SENSORS-MIB::sensorsMIBObjects
snmwwalk -v2c -c <community> <host> OPENBSD-CARP-MIB::carpMIBObjects

... or you can view the tree:

snmptranslate -Tp -OS OPENBSD-PF-MIB::pfMIBObjects
snmptranslate -Tp -OS OPENBSD-SENSORS-MIB::sensorsMIBObjects
snmptranslate -Tp -OS OPENBSD-CARP-MIB::carpMIBObjects

To query an object in the MIB, find the path to the object you want and append it to .enterprises.openBSD. For example, if you wanted to query the running object, you would determine its path to be pfMIBObjects.info.running.0. Note the 0 (zero) on the end; it is important, so don't omit it. Next you need to tell your snmp client to load the MIB so that it's able to translate the above path to the numeric path. The sequence looks like this:

# export MIBS="+/usr/local/share/snmp/mibs/OPENBSD-PF-MIB.txt"
# snmpget -v2c -c <community> <host> \
   .enterprises.openBSD.pfMIBObjects.info.running.0
enterprises.openBSD.pfMIBObjects.info.running.0 = true(1)

Example Graphs

Below are a couple of graphs from a Cacti server that is monitoring some OpenBSD firewalls that have these MIBs installed.

Third-Party Tools

Below is a list of tools that others have written to take advantage of the MIBs available here. If you want something added here, please contact me.

  • Nagios check_pf_carp. Generates alarms for CARP hosts that are not in MASTER state. By Brian A. Seklecki

Credits

The following people have contributed by writing code, reporting bugs, offering suggestions, or sending alchohol :-)

  • Sven Ingebrigt Ulland (PF-MIB: labels support)
  • Brian A. Seklecki
  • Bryan Kaplan
  • Bill Cameron
  • Clint Byrum

Thank you for your contributions.

Related Blog Posts

References