I should also mention that Accounting rules are not stateful -- each rule only handles traffic in one direction. So for example, if eth0 is your internet interface and you have a web server in your DMZ connected to eth1 then to measure HTTP traffic in both directions requires two rules: DONE eth0 eth1 tcp 80 DONE eth1 eth0 tcp - 80 Associating a counter with a chain allows for aggregation. For example: webserver:DONE eth0 eth1 tcp 80 webserver:DONE eth1 eth0 tcp - 80 webserver:DONE eth0 eth1 tcp 443 webserver:DONE eth1 eth0 tcp - 443 Now "shorewall show webserver" will give you the bi-directional traffic totals for your web server. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 10 Aug 2003 15:00:47 -0600, <paul@freestylenetworks.com> wrote:> Tom, > > I changed my /etc/shorewall/accounting to this: > > loki:DONE eth0 192.168.3.5 tcp 22 > loki:DONE 192.168.3.5 eth0 tcp - 22 > > when i perform a ''shorewall show loki'' i get this: > > Chain loki (2 references) > pkts bytes target prot opt in out source > destination > 38 2759 RETURN all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Is there a way to show the detail of incoming/outgoing like there is in > ''shorewall show accounting'' ?: >No -- if you want to keep input and output separate, don''t put them in the same chain. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 10 Aug 2003 14:03:22 -0700, Tom Eastep <teastep@shorewall.net> wrote:>> >> Is there a way to show the detail of incoming/outgoing like there is in >> ''shorewall show accounting'' ?: >> > > No -- if you want to keep input and output separate, don''t put them in > the same chain. >I envision using aggregation as shown at http://shorewall.net/Accounting.html -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
kb
2003-Aug-11 09:46 UTC
Accounting issue (was: Re: [Shorewall-users] More about Accounting)
[ Sorry for cross-posting. This should be on the dev list, but I am not subscribed to that list -- but curious about comments. ;) ] First of all: Thanks again to Tom for this great new feature and his help debugging. :-) While playing around a little bit with this new feature I encountered a minor issue: DONE # does not work DONE - - - - - # works (In fact, the newline followed directly after the last char of the rule, no unnecessary whitespace added.) According to the docs, trailing ''any''s can be omitted. [1] This works at least for the last 3 of them, as I tested. Omitting all 5 optional values results in shorewall to start without(!) any error, not notifying about the created chain -- and indeed the chain does not exist. karsten [1] This is not mentioned in the docs, but the examples are omitting them if not needed. -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Tom Eastep
2003-Aug-11 10:09 UTC
Accounting issue (was: Re: [Shorewall-users] More about Accounting)
On Mon, 2003-08-11 at 09:45, kb wrote:> [ Sorry for cross-posting. This should be on the dev list, but I am not > subscribed to that list -- but curious about comments. ;) ] > > > > First of all: Thanks again to Tom for this great new feature and his > help debugging. :-) > > > While playing around a little bit with this new feature I encountered a > minor issue: > > DONE # does not work > DONE - - - - - # works > > (In fact, the newline followed directly after the last char of the rule, > no unnecessary whitespace added.) > > According to the docs, trailing ''any''s can be omitted. [1] This works > at least for the last 3 of them, as I tested. Omitting all 5 optional > values results in shorewall to start without(!) any error, not notifying > about the created chain -- and indeed the chain does not exist.In my test, I get this: Deleting user chains... Setting up Accounting... Warning: Invalid Accounting rule DONE Restoring dynamic rules... I try to give warnings in the accounting code rather than errors since omissions in the accounting rules don''t represent potential security holes. I suppose that the simplest thing to do is just allow the degenerate rules "DONE" and "COUNT".> > karsten > > > [1] This is not mentioned in the docs, but the examples are omitting > them if not needed.-Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
kb
2003-Aug-11 10:49 UTC
Accounting issue (was: Re: [Shorewall-users] More about Accounting)
> > According to the docs, trailing ''any''s can be omitted. [1] This works > > at least for the last 3 of them, as I tested. Omitting all 5 optional > > values results in shorewall to start without(!) any error, not notifying > > about the created chain -- and indeed the chain does not exist. > > In my test, I get this: > > Deleting user chains... > Setting up Accounting... > Warning: Invalid Accounting rule DONE > Restoring dynamic rules...Strange, here is my output: Deleting user chains... Setting up Accounting... Creating Interface Chains... # shorewall show accounting Shorewall-1.4.6-20030809 Chain accounting at monkey - Mon Aug 11 19:40:09 CEST 2003 Counters reset Mon Aug 11 19:38:39 CEST 2003 iptables: Table does not exist (do you need to insmod?) Again and for completeness the versions: Shorewall version is the latest snapshot 1.4.6-20030809, ''firewall'' script is 1.294 from CVS, ''accounting'' file is 1.2 from CVS. And the accounting file *is* in Unix format and has a famous last line... ;) The rule "DONE -" works as expected.> I try to give warnings in the accounting code rather than errors since > omissions in the accounting rules don''t represent potential security > holes.Sure, understand that. Apart from not seeing any warning here...> I suppose that the simplest thing to do is just allow the degenerate > rules "DONE" and "COUNT".Yep, quick-n-dirty. What about "rulename:DONE"? It shows the same issue as the default chain. karsten -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Tom Eastep
2003-Aug-11 10:53 UTC
Accounting issue (was: Re: [Shorewall-users] More about Accounting)
On Mon, 2003-08-11 at 10:48, kb wrote:> > Again and for completeness the versions: > > Shorewall version is the latest snapshot 1.4.6-20030809, ''firewall'' > script is 1.294 from CVS, ''accounting'' file is 1.2 from CVS.I was running 1.295.> > Yep, quick-n-dirty. What about "rulename:DONE"? It shows the same issue > as the default chain. >Same -- try 1.296. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
kb
2003-Aug-11 11:07 UTC
Accounting issue (was: Re: [Shorewall-users] More about Accounting)
> > Shorewall version is the latest snapshot 1.4.6-20030809, ''firewall'' > > script is 1.294 from CVS, ''accounting'' file is 1.2 from CVS. > > I was running 1.295. > > > Yep, quick-n-dirty. What about "rulename:DONE"? It shows the same issue > > as the default chain. > > Same -- try 1.296.That''s unfair -- last edited 17 minutes ago. ;) Using 1.296 solved the issue, the degenerated DONE rule works as promised. Thanks Tom. karsten -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}