The following SNMP MIBs and the accompanying code that extend the Net-SNMP daemon allow administrators to query information from various OpenBSD subsystems. Currently, stats can be queried from:
- Packet Filter
- The kernel sensors framework
- Common Address Redundancy Protocol (CARP)
These MIBs are being integrated into OpenBSD's own snmpd. OpenBSD 5.1 has the kernel sensor and CARP MIBs. OpenBSD 5.1-current has and the future 5.2 release will have the pf MIB. See this post for a bit more detail.
Table of Contents
- SNMP Introduction
- Packet Filter MIB
- Kernel Sensors MIB
- CARP MIB
- Example Graphs
- Third-Party Tools
- Related Blog Posts
SNMP is the Simple Network Management Protocol. It's used to manage nodes (routers, switches, servers, etc) on an IP network. SNMP allows an administrator to query the current status of a node, collect data for analysis and historical reasons, and to make configuration changes to the node. SNMP also has provisions for a node to send an alarm or a "trap" to a central monitoring station to alert the administrator to possible trouble.
When the node being monitored is a router or firewall, some of the more commonly monitored objects include:
- Interface bytes per second
- Interface packets per second
- Bytes passed/blocked
- Packets passed/blocked
- CPU usage
- Memory usage
- State table size
The list of objects that can be monitored by SNMP is stored in a Management Information Base, or MIB. The MIB defines the name of the object, its data type (integer, string, etc) and the object's location within the MIB heirarchy.
The PF MIB allows for the querying of objects relating to OpenBSD's Packet Filter firewall software. The following information can be queried from the MIB:
- General info (is PF enabled, the runtime, the hostid)
- Packet counters
- State table counters
- Log interface counters
- Source track counters
- Memory limits
- Protocol timeouts
- Interface stats (number of rules, number of states, bytes passed/blocked, packets passed/blocked, etc)
- Table stats (number of addresses, evaluations, bytes passed/blocked, packets passed/blocked, etc)
- Table content stats (bytes passed/blocked and packets passed/blocked for each address/network within a table)
- Filter rule label counters
- This feature was contributed by Sven Ingebright Ulland
- pfsync(4) protocol counters
The limitations of the MIB:
The MIB tree can be viewed here: PF MIB tree
A sample walk of the MIB can be seen here: PF MIB walk
The Kernel Sensors MIB allows for querying information from the OpenBSD kernel sensors. The kernel sensors provide data from various environmental sensors, disk drives, etc.
The MIB reports data in much the same way as the "sysctl hw.sensors" command does.
The MIB tree can be viewed here: Sensors MIB tree
A sample walk of the MIB can be seen here: Sensors MIB walk
The CARP MIB allows for querying the status of carp(4) interfaces. It can be used to determine how many CARP groups are configured on a node, what their state is, and the various operational settings of the CARP group, including advskew, advbase and the carpdev.
The limitations of the MIB:
- The value of the CARP demote counter associated with interface groups is not handled.
- The IP address(es) assigned to the CARP interface is not returned. This can be queried in the ifTable.
- When doing load balancing via CARP, the "carpnodes" are not shown via the MIB.
The MIB tree can be viewed here: CARP MIB tree
A sample walk of the MIB can be seen here: CARP MIB walk
The MIBs are available as a patch to the OpenBSD net-snmp port.
- OpenBSD 5.1: obsd-mibs51.tar
- OpenBSD 5.1-release (use this if compiling ports from ports.tar.gz on the DVD): obsd-mibs51-release.tar
- OpenBSD 5.0: obsd-mibs50.tar
- OpenBSD 4.9: obsd-mibs49.tar
- OpenBSD 4.8: obsd-mibs48.tar
- OpenBSD 4.4: obsd-mibs44.tar
- OpenBSD 4.3: obsd-mibs43.tar
- OpenBSD 4.2: obsd-mibs42.tar
- OpenBSD 4.1: obsd-mibs41.tar
- OpenBSD 4.0: obsd-mibs40.tar
Earlier releases only included the PF MIB. These are listed below.
- OpenBSD 4.0: pf-mib40.tar
- OpenBSD 3.9: pf-mib39.tar
- OpenBSD 3.8: pf-mib38.tar
- OpenBSD 3.7: pf-mib37.tar
The pf-mib39 release is backwards compatible with OpenBSD 3.8, however the diff will not apply cleanly to the OpenBSD 3.8 net-snmp port. You will have to resolve any failures by hand.
Perform these steps to install the MIB:
- Retrieve the net-snmp port from the OpenBSD ports system (See the OpenBSD FAQ for details)
- Extract the patch tarball
- Apply the included patch
- Build and install the port
cd /usr/ports/net/net-snmp ftp https://www.packetmischief.ca/files/openbsd/snmp/obsd-mibsXX.tar tar xf obsd-mibsXX.tar patch < obsd-mibs.diff make install
The MIBs are now installed as part of the net-snmp port.
The path to the MIBs is
.184.108.40.206.4.1.64512 which translates to
64512 is a somewhat arbitrarily chosen number that is not currently assigned.
To see what objects are available in the MIB you can either walk the MIB using an SNMP client...
snmpwalk -v2c -c <community> <host> OPENBSD-PF-MIB::pfMIBObjects snmpwalk -v2c -c <community> <host> OPENBSD-SENSORS-MIB::sensorsMIBObjects snmwwalk -v2c -c <community> <host> OPENBSD-CARP-MIB::carpMIBObjects
... or you can view the tree:
snmptranslate -Tp -OS OPENBSD-PF-MIB::pfMIBObjects snmptranslate -Tp -OS OPENBSD-SENSORS-MIB::sensorsMIBObjects snmptranslate -Tp -OS OPENBSD-CARP-MIB::carpMIBObjects
To query an object in the MIB, find the path to the object you want and append it to .enterprises.openBSD. For example, if you wanted to query the running object, you would determine its path to be pfMIBObjects.info.running.0. Note the 0 (zero) on the end; it is important, so don't omit it. Next you need to tell your snmp client to load the MIB so that it's able to translate the above path to the numeric path. The sequence looks like this:
# export MIBS="+/usr/local/share/snmp/mibs/OPENBSD-PF-MIB.txt" # snmpget -v2c -c <community> <host> \ .enterprises.openBSD.pfMIBObjects.info.running.0 enterprises.openBSD.pfMIBObjects.info.running.0 = true(1)
Below are a couple of graphs from a Cacti server that is monitoring some OpenBSD firewalls that have these MIBs installed.
Below is a list of tools that others have written to take advantage of the MIBs available here. If you want something added here, please contact me.
- Nagios check_pf_carp. Generates alarms for CARP hosts that are not in MASTER state. By Brian A. Seklecki
The following people have contributed by writing code, reporting bugs, offering suggestions, or sending alchohol :-)
- Sven Ingebrigt Ulland (PF-MIB: labels support)
- Brian A. Seklecki
- Bryan Kaplan
- Bill Cameron
- Clint Byrum
Thank you for your contributions.
- OpenBSD 5.1 SNMP MIBs
- Net-SNMP and snmpd Coexistence on OpenBSD
- Switching from Net-SNMP to snmpd for CARP, PF and Sensor Monitoring
- Net-SNMP v5.7 Issues
- OpenBSD 5.0 SNMP MIBs
- Net-SNMP 5.6.1 Missing hrSystemProcesses OID
- OpenBSD 4.9 SNMP MIBs
- RFC 1157 - Simple Network Management Protocol (SNMP)
- RFC 1441 - Introduction to version 2 of the Internet-standard Network Management Framework
- RFC 2578 - Structure of Management Information Version 2 (SMIv2)
- Cacti - The Complete rrdtool-based Graphing Solution
- SMI Network Management Private Enterprise Codes
- SNMP Link