shorewall_code/Shorewall/accounting

99 lines
3.1 KiB
Plaintext
Raw Normal View History

#
Large merge of function from EXPERIMENTAL to HEAD. 1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-07-26 01:08:09 +02:00
# Shorewall version 2.6 - Accounting File
#
# /etc/shorewall/accounting
#
# Accounting rules exist simply to count packets and bytes in categories
# that you define in this file. You may display these rules and their
# packet and byte counters using the "shorewall show accounting" command.
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#
# Columns are:
#
# ACTION - What to do when a match is found.
#
# COUNT - Simply count the match and continue
# with the next rule
# DONE - Count the match and don't attempt
# to match any other accounting rules
# in the chain specified in the CHAIN
# column.
# <chain>[:COUNT]
# - Where <chain> is the name of
# a chain. Shorewall will create
# the chain automatically if it
# doesn't already exist. Causes
# a jump to that chain. If :COUNT
# is including, a counting rule
# matching this record will be
# added to <chain>
#
# CHAIN - The name of a chain. If specified as "-" the
# 'accounting' chain is assumed. This is the chain
# where the accounting rule is added. The chain will
# be created if it doesn't already exist.
#
# SOURCE - Packet Source
#
# The name of an interface, an address (host or net) or
# an interface name followed by ":"
# and a host or net address.
#
# DESTINATION - Packet Destination
#
# Format the same as the SOURCE column.
#
# PROTOCOL A protocol name (from /etc/protocols), a protocol
# number, or "ipp2p"
#
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p"
# then this column must contain an ipp2p option
# ("iptables -m ipp2p --help") without the leading
# "--". If no option is given in this column, "ipp2p"
# is assumed.
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
# or 17).
#
# SOURCE PORT Source Port number
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
# or 17).
#
# USER/GROUP This column may only be non-empty if the CHAIN is
# OUTPUT.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named upnpd
#
# In all of the above columns except ACTION and CHAIN, the values "-",
# "any" and "all" may be used as wildcards
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#####################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT PORT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE