Shorewall users - Mar 2003 - IP traffic accounting and shorewall

Hi,

I need a suggestion about how to set up a shorewall configuration so that I 
can log the traffic size being downloaded through a shorewall dedicated box.

I need to log time, source IP, size of the transfer, protocol(s) and ports, 
destination IP (looking from inside the LAN, I mean :-)

Whenever possible, I''d like to resolve the source IP with our existing 
internal DNS, so that I can directly log the client name together with - or 
instead of - the IP address; this would be really usefull, since we use a 
dynamic IP configuration for the LAN (DHCP), and thus the assigned IP''s
change on a daily basis.

By now I learned that shorewall alone isn''t sufficient (it only logs
the size
of the session, but not the size of the transfer during a session); I''m
wondering if anaybody managed to achieve a configuration acting the way I 
described  above.

My gateway box is a classic two-interface shorewall setup, which SNATs the 
rfc1918 IP pool (intranet) through a static public IP, different from the 
external interface IP of the firewall itself.

I''d gladly avoid setting up (transparent) proxies together with
shorewall....

Any suggestions appreciated.

Thanks,

Corrado

On Tue, 30 Nov 1999, C. Cau wrote:
> Hi,
> 
> I need a suggestion about how to set up a shorewall configuration so that I
> can log the traffic size being downloaded through a shorewall dedicated
box.
> 
> I need to log time, source IP, size of the transfer, protocol(s) and ports,
> destination IP (looking from inside the LAN, I mean :-)
>
You can''t do that with Netfilter unless you log every packet and
process
that log; not something that you want to try.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Actually, I  don''t need to log *every* packet... it would be enough to
log the
packets involving - say - the FTP and HTTP(s) transfers.

But of course for doing that I''d need to inspect every and each packet,
I
guess...

thanks,

Corrado


On Saturday 29 March 2003 02:06, you wrote:
> You can''t do that with Netfilter unless you log every packet and
process
> that log; not something that you want to try.
>
> -Tom

On Tue, 30 Nov 1999, C. Cau wrote:
> Actually, I  don''t need to log *every* packet... it would be
enough to log the
> packets involving - say - the FTP and HTTP(s) transfers.
> 
> But of course for doing that I''d need to inspect every and each
packet, I
> guess...
> 
There was a post on the Netfilter development recently from someone who
was working on session-level accounting. Such development often fails to
produce anything useful and those that do typically take a year or two to
make it into production kernels.

So Netfilter may eventually be able to do what you want in an efficient 
manner but it won''t be any time soon...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Interesting...

This e-mail is quickly getting off-topic, so before closing the thread, my 
last question: given that netfilter isn''t there yet, what would you use
for
that purpose, if you were in my shoes? I absolutely need to solve the 
problem, and as much as possible I want to use Linux, or FreeBSD, for the 
job.

Thanks,

Corrado

PS: today I noticed that my notebook got its date reset backc to 1999, hence 
my previous e-mails could have strange dates in the past :-)

On Saturday 29 March 2003 15:33, Tom Eastep wrote:
> There was a post on the Netfilter development recently from someone who
> was working on session-level accounting. Such development often fails to
> produce anything useful and those that do typically take a year or two to
> make it into production kernels.
>
> So Netfilter may eventually be able to do what you want in an efficient
> manner but it won''t be any time soon...
>
> -Tom

On Sat, 29 Mar 2003 23:22:35 +0100 "C. Cau" <ccau@itsyn.it>
wrote:
> This e-mail is quickly getting off-topic, so before closing the thread, my 
> last question: given that netfilter isn''t there yet, what would
you use for
> that purpose, if you were in my shoes? I absolutely need to solve the 
> problem, and as much as possible I want to use Linux, or FreeBSD, for the 
> job.
http://sourceforge.net/projects/ipac-ng
http://netacct-mysql.sourceforge.net/
http://savannah.nongnu.org/download/ulog-acctd/

Regards,
Nerijus