Hi, I''m trying to setup accounting, but I want to get it down to a particular IP behind the firewall. As an example, I could have a simple smtp accounting rule like this: smtp:COUNT - eth0 eth1 tcp 25 smtp:COUNT - eth1 eth0 tcp - 25 DONE smtp But I want to have smtp accounting specific to different hosts, so create separate rules for each host. I tried a couple of examples with a couple of varations of this: smtp2:COUNT - eth0 192.168.1.245 tcp 25 smtp2:COUNT - 192.168.1.245 eth0 tcp - 25 DONE smtp2 But it doesn''t work. How can I filter based on the eth1 host IP? thanks Ricardo ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
On 9/6/10 3:16 PM, Ricardo Kleemann wrote:> Hi, > > I''m trying to setup accounting, but I want to get it down to a > particular IP behind the firewall. > > As an example, I could have a simple smtp accounting rule like this: > > smtp:COUNT - eth0 eth1 tcp 25 > smtp:COUNT - eth1 eth0 tcp > - 25 > DONE smtp > > But I want to have smtp accounting specific to different hosts, so > create separate rules for each host. > > I tried a couple of examples with a couple of varations of this: > > smtp2:COUNT - eth0 192.168.1.245 > tcp 25 > smtp2:COUNT - 192.168.1.245 eth0 > tcp - 25 > DONE smtp2 > > But it doesn''t work.''It doesn''t work'' might get you sympathy but it won''t get you any help. Look at your post -- How are we supposed to know what eth0 and eth1 are? Internet, Local, DMZ, ...? What smtp traffic are you trying to account for? Internet<->DMZ? Internet<->Local LAN? Your Wife''s computer<->Your girlfriend''s computer? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
On 9/6/10 3:16 PM, Ricardo Kleemann wrote:> Hi, > > I''m trying to setup accounting, but I want to get it down to a > particular IP behind the firewall. > > As an example, I could have a simple smtp accounting rule like this: > > smtp:COUNT - eth0 eth1 tcp 25 > smtp:COUNT - eth1 eth0 tcp > - 25 > DONE smtp > > But I want to have smtp accounting specific to different hosts, so > create separate rules for each host. > > I tried a couple of examples with a couple of varations of this: > > smtp2:COUNT - eth0 192.168.1.245 > tcp 25 > smtp2:COUNT - 192.168.1.245 eth0 > tcp - 25 > DONE smtp2 > > But it doesn''t work. > > How can I filter based on the eth1 host IP?Okay -- I read your post again, and I''m still not clear what is going on. Which way is the connection going? You say that you tried this: smtp2:COUNT - eth0 192.168.1.245 tcp 25 smtp2:COUNT - 192.168.1.245 eth0 tcp - 25 DONE smtp2 Those rules assume that 192.168.1.245 is an MTA (Mail server) because traffic going to 192.168.1.245 has destination port 25 and traffic leaving 192.168.1.245 has source port 25. If "it doesn''t work" means that the rules were loaded successfully but the counters on those rules didn''t increment, then 192.168.1.245 must be *sending* email and the rules should be: smtp2:COUNT - eth0 192.168.1.245 tcp - 25 smtp2:COUNT - 192.168.1.245 eth0 tcp 25 DONE smtp2 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd