Hí everybody, you have a nice day. I am configuring accounting in shorewall /etc/shorewall/accounting and the traffic between eth0 (local network)1, eth2(local network2) and eth3(local network3) <--> eth1(ip public network), works fine. I make the accounting because y want to control the remote vpn access(pptpd) throught shorewall. Which is the way to control vpn /ip/access in /etc/shorewall/accounting? Is my example correct? and if i have diferents vpn wil be with ppp1, ppp2 .. ? or i have to control throght shorewall zone vpn1,vpn2,... acc1-out:COUNT account-ip - ppp0:192.168.1.100 acc1-in:COUNT account-ip ppp0:192.168.1.100 - DONE acc1 # #acc2-in:COUNT account-ip eth0 195.8.169.2 #acc2-out:COUNT account-ip 195.8.169.2 eth0 #DONE acc2 -- Javier Martínez Technical Manager ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Javier Martínez wrote:> Hí everybody, you have a nice day. > > I am configuring accounting in shorewall /etc/shorewall/accounting and > the traffic between eth0 (local network)1, eth2(local network2) and > eth3(local network3) <--> eth1(ip public network), works fine. I make > the accounting because y want to control the remote vpn access(pptpd) > throught shorewall.You cannot CONTROL anything using Shorewall accounting -- you can only count packets and bytes.> > Which is the way to control vpn /ip/access in /etc/shorewall/accounting?Again, you can''t CONTROL vpn using Shorewall accounting.> Is my example correct? and if i have diferents vpn wil be with ppp1, > ppp2 .. ? or i have to control throght shorewall zone vpn1,vpn2,...Type "man shorewall-accounting" -- do you see ANY mention of ''zone'' there?> / > acc1-out:COUNT account-ip - ppp0:192.168.1.100 > acc1-in:COUNT account-ip ppp0:192.168.1.100 - > DONE acc1To account for the traffic in and out of ppp0, the simplest pair of rules is: COUNT - ppp0 - #Traffic from ppp0 COUNT - - ppp0 #Traffic to ppp0 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
With this example can i count the ppp0 traffic for 192.168.1.100? acc1-out:COUNT account-ip - ppp0:192.168.1.100 acc1-in:COUNT account-ip ppp0:192.168.1.100 - DONE acc1 Tom Eastep wrote: Javier Martínez wrote: Hí everybody, you have a nice day. I am configuring accounting in shorewall /etc/shorewall/accounting and the traffic between eth0 (local network)1, eth2(local network2) and eth3(local network3) <--> eth1(ip public network), works fine. I make the accounting because y want to control the remote vpn access(pptpd) throught shorewall. You cannot CONTROL anything using Shorewall accounting -- you can only count packets and bytes. Which is the way to control vpn /ip/access in /etc/shorewall/accounting? Again, you can''t CONTROL vpn using Shorewall accounting. Is my example correct? and if i have diferents vpn wil be with ppp1, ppp2 .. ? or i have to control throght shorewall zone vpn1,vpn2,... Type "man shorewall-accounting" -- do you see ANY mention of ''zone'' there? / acc1-out:COUNT account-ip - ppp0:192.168.1.100 acc1-in:COUNT account-ip ppp0:192.168.1.100 - DONE acc1 To account for the traffic in and out of ppp0, the simplest pair of rules is: COUNT - ppp0 - #Traffic from ppp0 COUNT - - ppp0 #Traffic to ppp0 -Tom -- Javier Martínez Director General Sip2000 Sistemas Luis Morondo Urra 11 Bajo 31006 Pamplona Navarra http://www.sip2000.es Advertencia: Esta comunicación está destinada a la persona a quién se dirige y puede contener información confidencial o sometida a secreto profesional. Su interceptación, utilización, alteración, reproducción, difusión, cesión a terceros y / o uso de su contenido puede constituir un delito. Si Vd. no es el destinatario de este mensaje, por favor, destrúyalo o devuélvalo al remitente. En cumplimiento de la Ley Orgánica 15/1999 de 13 de diciembre, de protección de datos de carácter personal, se le informa que la dirección de correo electrónico por usted facilitada va a ser incorporada a un fichero automatizado denominado AGENDAS DE CORREO cuyo responsable es SIP2000 SISTEMAS. La recogida de estos datos tiene por finalidad posibilitar la gestión económico-administrativa y comercial de la empresa. La información facilitada por usted tiene como único destinatario a la empresa responsable de los datos SIP2000 SISTEMAS. En todo caso, usted puede en cualquier momento ejercitar los derechos de acceso, rectificación, cancelación y oposición dirigiéndose por escrito al encargado de los derechos de los afectados de SIP2000 SISTEMAS en C/ Luis Morondo, 11 Bajo. 31006 - Pamplona (Navarra). ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Javier Martínez wrote:> With this example can i count the ppp0 traffic for 192.168.1.100? > > acc1-out:COUNT account-ip - ppp0:192.168.1.100 > acc1-in:COUNT account-ip ppp0:192.168.1.100 - > DONE acc1By themselves, those rules won''t do anything. What do you mean by ''traffic for 192.168.1.100''? Is 192.168.1.100 on the local end of the tunnel or on the remote end? If it is on the remote end, then these rules will count traffic: COUNT - ppp0:192.168.1.100 - COUNT - - ppp0:192.168.1.100 If you want to count that traffic in a chain named ''acc1'' then: acc1:COUNT - ppp0:192.168.1.100 - acc1:COUNT - - PPP0:192.168.1.100 done acc1 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/