Shorewall users - Sep 2013 - shorewall default accounting vs per-ip

All,
i''m setting up accounting for my 60 user network.
as i read from a number of tutorials, i can either go with the default setup of
shorewall (version 4.5.5.3)or i can install xtables and configure shorewall to
use perIP
now the per ip setup is what i need, but i can do it without xtables by issuing
the following:
for i in {1..254};do echo "user_$i             -       x.x.x.$i    -       
any             anyuser_$i             -       -       x.x.x.$i            any  
-               any" >> ./accounting;done
and then tail accounting file with this line:
COUNT           total     eth1COUNT           total     -       eth0

Can anyone find a problem with such a config? if there''s any downside,
i''d appreciate a heads up.
Thanks 		 	   		  

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk

On 9/8/2013 6:05 AM, Roland RoLaNd wrote:
> All,
> 
> i''m setting up accounting for my 60 user network.
> 
> as i read from a number of tutorials, i can either go with the default
> setup of shorewall (version 4.5.5.3)
> or i can install xtables and configure shorewall to use perIP
> 
> now the per ip setup is what i need, but i can do it without xtables by
> issuing the following:
> 
> for i in {1..254};do 
> echo "user_$i             -       x.x.x.$i    -               any
>       any
> user_$i             -       -       x.x.x.$i            any            
> -               any" >> ./accounting;done
> 
> and then tail accounting file with this line:
> 
> COUNT           total     eth1
> COUNT           total     -       eth0
> 
> 
> Can anyone find a problem with such a config? 
> if there''s any downside, i''d appreciate a heads up.
It is grossly inefficient. Every packet in/out and through your firewall
gets to traverse 254 extra iptables rules.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk

you''re absolutely right, that absolutely skipped my mind. thank you! 
I got xtables  installed  all is working okay, and i liked the fact that i can
export it to csv
though i have a question. is there a way to get accounting per source/
destination? or protocol without specifying them in accounting?
for example getting accounting for a certain ip divided by  protocol used
Thanks
Date: Sun, 8 Sep 2013 07:26:38 -0700
From: teastep@shorewall.net
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] shorewall default accounting vs per-ip

On 9/8/2013 6:05 AM, Roland RoLaNd wrote:
> All,
> 
> i''m setting up accounting for my 60 user network.
> 
> as i read from a number of tutorials, i can either go with the default
> setup of shorewall (version 4.5.5.3)
> or i can install xtables and configure shorewall to use perIP
> 
> now the per ip setup is what i need, but i can do it without xtables by
> issuing the following:
> 
> for i in {1..254};do 
> echo "user_$i             -       x.x.x.$i    -               any
>       any
> user_$i             -       -       x.x.x.$i            any            
> -               any" >> ./accounting;done
> 
> and then tail accounting file with this line:
> 
> COUNT           total     eth1
> COUNT           total     -       eth0
> 
> 
> Can anyone find a problem with such a config? 
> if there''s any downside, i''d appreciate a heads up.
 
It is grossly inefficient. Every packet in/out and through your firewall
gets to traverse 254 extra iptables rules.
 
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
 

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users 		 	   		  

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk