diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 407c40770..d0c73a21d 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -209,8 +209,30 @@ Migration Considerations: /etc/shorewall/hosts - lan eth1:192.168.2.0/24 ... + lan eth1:192.168.2.0/24 ... + The structure of the accounting rules changes slightly when + there are bridges defined in the Shorewall + configuration. Because of the restrictions imposed by Netfilter + in kernel 2.6.21 and later, output accounting rules must be + segregated from forwarding and input rules. + + To accomplish this separation, Shorewall-perl creates two + accounting chains: + + - accounting - for input and forwarded traffic. + - accountout - for output traffic. + + If the CHAIN column contains '-', then: + + - If the SOURCE column in a rule includes the name of the + firewall zone (e.g., $FW), then the default chain to insert + the rule into is accountout only. + + - Otherwise, if the DEST in the rule is any or all or 0.0.0.0/0, + then the rule is added to both accounting and accountout. + + - Otherwise, the rule is added to accounting only. d) The BROADCAST column in the interfaces file is essentially unused; if you enter anything in this column but '-' or 'detect', you will diff --git a/docs/Accounting.xml b/docs/Accounting.xml index 1ef87e934..35e1851c8 100644 --- a/docs/Accounting.xml +++ b/docs/Accounting.xml @@ -41,142 +41,148 @@ release. - Shorewall accounting rules are described in the file - /etc/shorewall/accounting. By default, the accounting rules are placed in a - chain called accounting and can thus be displayed using - shorewall[-lite] show accounting. All traffic passing into, - out of, or through the firewall traverses the accounting chain including - traffic that will later be rejected by interface options such as - tcpflags and maclist. If your kernel doesn't - support the connection tracking match extension (Kernel 2.4.21) then some - traffic rejected under norfc1918 will not traverse the - accounting chain. +
+ Accounting Basics - The columns in the accounting file are as follows: + Shorewall accounting rules are described in the file + /etc/shorewall/accounting. By default, the accounting rules are placed in + a chain called accounting and can thus be displayed using + shorewall[-lite] show accounting. All traffic passing into, + out of, or through the firewall traverses the accounting chain including + traffic that will later be rejected by interface options such as + tcpflags and maclist. If your kernel doesn't + support the connection tracking match extension (Kernel 2.4.21) then some + traffic rejected under norfc1918 will not traverse the + accounting chain. - - - ACTION - What to do when a match - is found. Possible values are: + The columns in the accounting file are as follows: - - - COUNT- Simply count the match and continue trying to match the - packet with the following accounting rules - + + + ACTION - What to do when a + match is found. Possible values are: - - DONE- Count the match and don't attempt to match any following - accounting rules. - + + + COUNT- Simply count the match and continue trying to match + the packet with the following accounting rules + - - <chain> - The name of a chain to - jump to. Shorewall will create the chain automatically. If the name - of the chain is followed by :COUNT then a COUNT rule - matching this rule will automatically be added to <chain>. - Chain names must start with a letter, must be composed of letters - and digits, and may contain underscores (_) and - periods (.). Beginning with Shorewall version 1.4.8, - chain names may also contain embedded dashes (-) and - are not required to start with a letter. - - - + + DONE- Count the match and don't attempt to match any + following accounting rules. + - - CHAIN - The name of the chain - where the accounting rule is to be added. If empty or - - then the accounting chain is assumed. - + + <chain> - The name of a chain to + jump to. Shorewall will create the chain automatically. If the + name of the chain is followed by :COUNT then a + COUNT rule matching this rule will automatically be added to + <chain>. Chain names must start with a letter, must be + composed of letters and digits, and may contain underscores + (_) and periods (.). Beginning with + Shorewall version 1.4.8, chain names may also contain embedded + dashes (-) and are not required to start with a + letter. + + + - - SOURCE - Packet Source. The name - of an interface, an address (host or net), or an interface name followed - by : and a host or net address. - + + CHAIN - The name of the chain + where the accounting rule is to be added. If empty or - + then the accounting chain is assumed (see below for exceptions). + - - DESTINATION - Packet Destination - Format the same as the SOURCE column. - + + SOURCE - Packet Source. The + name of an interface, an address (host or net), or an interface name + followed by : and a host or net address. + - - PROTOCOL - A protocol name (from - /etc/protocols), a protocol number or "ipp2p". For - "ipp2p", your kernel and iptables must have ipp2p match support from - Netfilter - Patch_o_matic_ng. - + + DESTINATION - Packet + Destination Format the same as the SOURCE column. + - - DEST PORT - Destination Port - number. Service name from /etc/services or port - number. May only be specified if the protocol is TCP or UDP (6 or 17). - If the PROTOCOL is "ipp2p", then this column is interpreted as an ipp2p - option without the leading "--" (default "ipp2p"). For a list of value - ipp2p options, as root type iptables -m ipp2p - --help. - + + PROTOCOL - A protocol name + (from /etc/protocols), a protocol number or + "ipp2p". For "ipp2p", your kernel and iptables must have ipp2p match + support from Netfilter + Patch_o_matic_ng. + - - SOURCE PORT- Source Port number. - Service name from /etc/services or port number. May only be specified if - the protocol is TCP or UDP (6 or 17). - + + DEST PORT - Destination Port + number. Service name from /etc/services or port + number. May only be specified if the protocol is TCP or UDP (6 or 17). + If the PROTOCOL is "ipp2p", then this column is interpreted as an + ipp2p option without the leading "--" (default "ipp2p"). For a list of + value ipp2p options, as root type iptables -m ipp2p + --help. + - - USER/GROUP - This column may only - be non-empty if the CHAIN is OUTPUT. The column may contain: + + SOURCE PORT- Source Port + number. Service name from /etc/services or port number. May only be + specified if the protocol is TCP or UDP (6 or 17). + - [!][<user name or number>][:<group name or number>][+<program name>] + + USER/GROUP - This column may + only be non-empty if the CHAIN is OUTPUT. The column may + contain: - When this column is non-empty, the rule applies only if the - program generating the output is running under the effective - <user> and/or <group> specified (or is NOT running under - that id if "!" is given). + [!][<user name or number>][:<group name or number>][+<program name>] - Examples: + When this column is non-empty, the rule applies only if the + program generating the output is running under the effective + <user> and/or <group> specified (or is NOT running under + that id if "!" is given). - - joe #program must be run by joe + Examples: - :kids #program must be run by a member of the 'kids' - group. + + joe #program must be run by joe - !:kids #program must not be run by a member of the 'kids' - group + :kids #program must be run by a member of the 'kids' + group. - +upnpd #program named upnpd (This feature was removed from - Netfilter in kernel version 2.6.14). - - - + !:kids #program must not be run by a member of the 'kids' + group - In all columns except ACTION and CHAIN, the values - -,any and all are treated as - wild-cards. + +upnpd #program named upnpd (This feature was removed from + Netfilter in kernel version 2.6.14). + + + - The accounting rules are evaluated in the Netfilter - filter table. This is the same environment where the - rules file rules are evaluated and in this environment, DNAT - has already occurred in inbound packets and SNAT has not yet occurred on - outbound ones. + In all columns except ACTION and CHAIN, the values + -,any and all are treated as + wild-cards. - Accounting rules are not stateful -- each rule only handles traffic in - one direction. For example, if eth0 is your internet interface, and you have - a web server in your DMZ connected to eth1, then to count HTTP traffic in - both directions requires two rules: + The accounting rules are evaluated in the Netfilter + filter table. This is the same environment where the + rules file rules are evaluated and in this environment, + DNAT has already occurred in inbound packets and SNAT has not yet occurred + on outbound ones. - #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE + Accounting rules are not stateful -- each rule only handles traffic + in one direction. For example, if eth0 is your internet interface, and you + have a web server in your DMZ connected to eth1, then to count HTTP + traffic in both directions requires two rules: + + #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE # PORT PORT DONE - eth0 eth1 tcp 80 DONE - eth1 eth0 tcp - 80 - Associating a counter with a chain allows for nice reporting. For - example: + Associating a counter with a chain allows for nice reporting. For + example: - #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE + #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE # PORT PORT web:COUNT - eth0 eth1 tcp 80 web:COUNT - eth1 eth0 tcp - 80 @@ -184,11 +190,11 @@ web:COUNT - eth1 eth0 tcp - 443 DONE web - Now shorewall show web (or "shorewall-lite show web" - for Shorewall Lite users) will give you a breakdown of your web - traffic: + Now shorewall show web (or "shorewall-lite show web" + for Shorewall Lite users) will give you a breakdown of your web + traffic: - [root@gateway shorewall]# shorewall show web + [root@gateway shorewall]# shorewall show web Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003 Counters reset Wed Aug 20 09:48:00 PDT 2003 @@ -202,9 +208,9 @@ 29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 [root@gateway shorewall]# - Here is a slightly different example: + Here is a slightly different example: - #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE + #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE # PORT PORT web - eth0 eth1 tcp 80 web - eth1 eth0 tcp - 80 @@ -213,11 +219,11 @@ COUNT web eth0 eth1 COUNT web eth1 eth0 - Now shorewall show web (or "shorewall-lite show web" - for Shorewall Lite users) simply gives you a breakdown by input and - output: + Now shorewall show web (or "shorewall-lite show web" + for Shorewall Lite users) simply gives you a breakdown by input and + output: - [root@gateway shorewall]# shorewall show accounting web + [root@gateway shorewall]# shorewall show accounting web Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003 Counters reset Wed Aug 20 10:24:33 PDT 2003 @@ -225,7 +231,9 @@ Chain accounting (3 references) pkts bytes target prot opt in out source destination 8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 - 0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 + 0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 + + 11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80 0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443 @@ -235,16 +243,16 @@ 11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 [root@gateway shorewall]# - Here's how the same example would be constructed on an HTTP server - with only one interface (eth0). + Here's how the same example would be constructed on an HTTP server + with only one interface (eth0). - - READ THE ABOVE CAREFULLY -- IT SAYS SERVER. If you want to account for web browsing, - you have to reverse the rules below. - + + READ THE ABOVE CAREFULLY -- IT SAYS SERVER. If you want to account for web browsing, + you have to reverse the rules below. + - #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE + #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE # PORT PORT web - eth0 - tcp 80 web - - eth0 tcp - 80 @@ -253,12 +261,12 @@ COUNT web eth0 COUNT web - eth0 - Note that with only one interface, only the SOURCE (for input rules) - or the DESTINATION (for output rules) is specified in each rule. + Note that with only one interface, only the SOURCE (for input rules) + or the DESTINATION (for output rules) is specified in each rule. - Here's the output: + Here's the output: - [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7 + [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7 Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003 Counters reset Sat Oct 11 08:12:57 PDT 2003 @@ -276,7 +284,54 @@ 11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0 [root@mail shorewall]# - For an example of integrating Shorewall Accounting with MRTG, see - http://www.nightbrawler.com/code/shorewall-stats/. + For an example of integrating Shorewall Accounting with MRTG, see + http://www.nightbrawler.com/code/shorewall-stats/. +
+ +
+ Accounting with Bridges + + The structure of the accounting rules changes slightly when there + are bridges defined in the + Shorewall configuration. Because of the restrictions imposed by Netfilter + in kernel 2.6.21 and later, output accounting rules must be segregated + from forwarding and input rules. To accomplish this separation, + Shorewall-perl creates two accounting chains: + + + + accounting - for input and + forwarded traffic. + + + + accountout - for output + traffic. + + + + If the CHAIN column contains '-', then: + + + + If the SOURCE column in a rule includes the name of the firewall + zone (e.g., $FW), then the default chain to insert the rule into is + accountout only. + + + + Otherwise, if the DEST in the rule is any or all or + 0.0.0.0/0, then the rule is added to both accounting and accountout. + + + + Otherwise, the rule is added to accounting only. + + +
\ No newline at end of file