hi all, i was asked recently if a firewall running shorewall could be reconfigured. using the basic accounting on a per-IP basis, we already log how much b/w each person is using. the question is, is there a way to track which IP addresses each person is connecting to? (each person is using a dedicated machine and IP.) i have no idea how to answer that Q. so i thought i''d ask here. it seems likely that something out there can do this, but hopefully someone here knows how to do it. thanks for any input, -josh (and thanks again to tom for a great tool!)
On Fri, 2003-11-21 at 09:31, Josh Fryman wrote:> hi all, > > i was asked recently if a firewall running shorewall could be reconfigured. > using the basic accounting on a per-IP basis, we already log how much b/w > each person is using.Yes -- See the Shorewall Traffic Accounting documentation. It''s the *first* link in the alphabetical index to the documentation.> > the question is, is there a way to track which IP addresses each person > is connecting to? (each person is using a dedicated machine and IP.)I don''t understand the question. If in your setup a person is synonymous with an IP address then what problem is it that you are trying to solve? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
hi tom,> > the question is, is there a way to track which IP addresses each person > > is connecting to? (each person is using a dedicated machine and IP.) > > I don''t understand the question. If in your setup a person is synonymous > with an IP address then what problem is it that you are trying to solve?sorry, let me be more elaborate. (my cable modem went out for several days, so i''ve been out of it. sorry for the delay, too.) in short, if i have a set of users, each of which is mapped to a unique IP via DHCP, like so: user1 192.168.5.12 user2 192.168.5.13 where the 5.x is really x.y (physical subnets) ... then what i''d like to do is establish the actual pattern per IP visited. ie, i set up basic b/w accounting a long time ago via the docs at this URL http://www.shorewall.net/Accounting.html which is also what you alluded to in your earlier comments. but what i really want is an ouput like so: (basic display summary, followed by:) SOURCE port DEST port BYTES 192.168.5.12 tcp:341 27.56.34.12 tcp:8080 1.4M 192.168.5.12 tcp:80 155.12.17.27 tcp:80 0.6M 192.168.5.12 tcp:80 231.68.90.13 tcp:80 2.6M 192.168.5.12 tcp:80 109.11.59.37 tcp:80 0.1M 192.168.5.12 tcp:80 251.99.81.231 tcp:80 0.2M .... .... 192.168.5.13 tcp:80 122.17.22.14 tcp:80 5.9M 192.168.5.13 tcp:80 1.64.67.5 tcp:80 3.7M 192.168.5.13 udp:5631 209.7.129.8 udp:801 1.1M .... .... where i get the traffic _per_ user to every target visited. the basic b/w i get from the 0.0.0.0/0 displays i see currently. essentially i''ve been asked if it''s possible to see where every user goes and how much bandwidth they use at every site. i''m trying to avoid setting up accounting rules for all 2^32 possible addresses :) the short answer may just be "no" ... but i was asked to find out, so thus my query. -j
On Tue, 25 Nov 2003, Josh Fryman wrote:> which is also what you alluded to in your earlier comments. but what i > really want is an ouput like so: > > (basic display summary, followed by:) > > SOURCE port DEST port BYTES > 192.168.5.12 tcp:341 27.56.34.12 tcp:8080 1.4M > 192.168.5.12 tcp:80 155.12.17.27 tcp:80 0.6M > 192.168.5.12 tcp:80 231.68.90.13 tcp:80 2.6M > 192.168.5.12 tcp:80 109.11.59.37 tcp:80 0.1M > 192.168.5.12 tcp:80 251.99.81.231 tcp:80 0.2M > .... > .... > 192.168.5.13 tcp:80 122.17.22.14 tcp:80 5.9M > 192.168.5.13 tcp:80 1.64.67.5 tcp:80 3.7M > 192.168.5.13 udp:5631 209.7.129.8 udp:801 1.1M > .... > .... > > where i get the traffic _per_ user to every target visited. the basic b/w > i get from the 0.0.0.0/0 displays i see currently. essentially i''ve been > asked if it''s possible to see where every user goes and how much bandwidth > they use at every site. > > i''m trying to avoid setting up accounting rules for all 2^32 possible > addresses :) > > the short answer may just be "no" ... but i was asked to find out, so > thus my query. >You can''t do that using iptables. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net