extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-30 06:28:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Document change to accounting rule structure with bridges

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6692 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-06-28 14:49:55 +00:00
parent aa3eece312
commit 177cb0487f
2 changed files with 212 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Shorewall-common/releasenotes.txt
View File

@ -209,8 +209,30 @@ Migration Considerations:
/etc/shorewall/hosts /etc/shorewall/hosts
lan eth1:192.168.2.0/24 ... lan eth1:192.168.2.0/24 ...
The structure of the accounting rules changes slightly when
there are bridges defined in the Shorewall
configuration. Because of the restrictions imposed by Netfilter
in kernel 2.6.21 and later, output accounting rules must be
segregated from forwarding and input rules.
To accomplish this separation, Shorewall-perl creates two
accounting chains:
- accounting - for input and forwarded traffic.
- accountout - for output traffic.
If the CHAIN column contains '-', then:
- If the SOURCE column in a rule includes the name of the
firewall zone (e.g., $FW), then the default chain to insert
the rule into is accountout only.
- Otherwise, if the DEST in the rule is any or all or 0.0.0.0/0,
then the rule is added to both accounting and accountout.
- Otherwise, the rule is added to accounting only.
d) The BROADCAST column in the interfaces file is essentially unused; d) The BROADCAST column in the interfaces file is essentially unused;
if you enter anything in this column but '-' or 'detect', you will if you enter anything in this column but '-' or 'detect', you will

323
docs/Accounting.xml
View File

@ -41,142 +41,148 @@
release</emphasis>.</para> release</emphasis>.</para>
</caution> </caution>
<para>Shorewall accounting rules are described in the file <section id="Basics">
/etc/shorewall/accounting. By default, the accounting rules are placed in a <title>Accounting Basics</title>
chain called <quote>accounting</quote> and can thus be displayed using
<quote>shorewall[-lite] show accounting</quote>. All traffic passing into,
out of, or through the firewall traverses the accounting chain including
traffic that will later be rejected by interface options such as
<quote>tcpflags</quote> and <quote>maclist</quote>. If your kernel doesn't
support the connection tracking match extension (Kernel 2.4.21) then some
traffic rejected under <quote>norfc1918</quote> will not traverse the
accounting chain.</para>
<para>The columns in the accounting file are as follows:</para> <para>Shorewall accounting rules are described in the file
/etc/shorewall/accounting. By default, the accounting rules are placed in
a chain called <quote>accounting</quote> and can thus be displayed using
<quote>shorewall[-lite] show accounting</quote>. All traffic passing into,
out of, or through the firewall traverses the accounting chain including
traffic that will later be rejected by interface options such as
<quote>tcpflags</quote> and <quote>maclist</quote>. If your kernel doesn't
support the connection tracking match extension (Kernel 2.4.21) then some
traffic rejected under <quote>norfc1918</quote> will not traverse the
accounting chain.</para>
<itemizedlist> <para>The columns in the accounting file are as follows:</para>
<listitem>
<para><emphasis role="bold">ACTION </emphasis>- What to do when a match
is found. Possible values are:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>COUNT- Simply count the match and continue trying to match the <para><emphasis role="bold">ACTION </emphasis>- What to do when a
packet with the following accounting rules</para> match is found. Possible values are:</para>
</listitem>
<listitem> <itemizedlist>
<para>DONE- Count the match and don't attempt to match any following <listitem>
accounting rules.</para> <para>COUNT- Simply count the match and continue trying to match
</listitem> the packet with the following accounting rules</para>
</listitem>
<listitem> <listitem>
<para><emphasis>&lt;chain&gt;</emphasis> - The name of a chain to <para>DONE- Count the match and don't attempt to match any
jump to. Shorewall will create the chain automatically. If the name following accounting rules.</para>
of the chain is followed by <quote>:COUNT</quote> then a COUNT rule </listitem>
matching this rule will automatically be added to &lt;chain&gt;.
Chain names must start with a letter, must be composed of letters
and digits, and may contain underscores (<quote>_</quote>) and
periods (<quote>.</quote>). Beginning with Shorewall version 1.4.8,
chain names may also contain embedded dashes (<quote>-</quote>) and
are not required to start with a letter.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem> <listitem>
<para><emphasis role="bold">CHAIN</emphasis> - The name of the chain <para><emphasis>&lt;chain&gt;</emphasis> - The name of a chain to
where the accounting rule is to be added. If empty or <quote>-</quote> jump to. Shorewall will create the chain automatically. If the
then the <quote>accounting</quote> chain is assumed.</para> name of the chain is followed by <quote>:COUNT</quote> then a
</listitem> COUNT rule matching this rule will automatically be added to
&lt;chain&gt;. Chain names must start with a letter, must be
composed of letters and digits, and may contain underscores
(<quote>_</quote>) and periods (<quote>.</quote>). Beginning with
Shorewall version 1.4.8, chain names may also contain embedded
dashes (<quote>-</quote>) and are not required to start with a
letter.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem> <listitem>
<para><emphasis role="bold">SOURCE</emphasis> - Packet Source. The name <para><emphasis role="bold">CHAIN</emphasis> - The name of the chain
of an interface, an address (host or net), or an interface name followed where the accounting rule is to be added. If empty or <quote>-</quote>
by <quote>:</quote> and a host or net address.</para> then the <quote>accounting</quote> chain is assumed (see <link
</listitem> linkend="Bridge">below</link> for exceptions).</para>
</listitem>
<listitem> <listitem>
<para><emphasis role="bold">DESTINATION</emphasis> - Packet Destination <para><emphasis role="bold">SOURCE</emphasis> - Packet Source. The
Format the same as the SOURCE column.</para> name of an interface, an address (host or net), or an interface name
</listitem> followed by <quote>:</quote> and a host or net address.</para>
</listitem>
<listitem> <listitem>
<para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name (from <para><emphasis role="bold">DESTINATION</emphasis> - Packet
<filename>/etc/protocols</filename>), a protocol number or "ipp2p". For Destination Format the same as the SOURCE column.</para>
"ipp2p", your kernel and iptables must have ipp2p match support from </listitem>
<ulink url="http://www.netfilter.org">Netfilter
Patch_o_matic_ng</ulink>.</para>
</listitem>
<listitem> <listitem>
<para><emphasis role="bold">DEST PORT</emphasis> - Destination Port <para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name
number. Service name from <filename>/etc/services</filename> or port (from <filename>/etc/protocols</filename>), a protocol number or
number. May only be specified if the protocol is TCP or UDP (6 or 17). "ipp2p". For "ipp2p", your kernel and iptables must have ipp2p match
If the PROTOCOL is "ipp2p", then this column is interpreted as an ipp2p support from <ulink url="http://www.netfilter.org">Netfilter
option without the leading "--" (default "ipp2p"). For a list of value Patch_o_matic_ng</ulink>.</para>
ipp2p options, as root type <command>iptables -m ipp2p </listitem>
--help</command>.</para>
</listitem>
<listitem> <listitem>
<para><emphasis role="bold">SOURCE PORT</emphasis>- Source Port number. <para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
Service name from /etc/services or port number. May only be specified if number. Service name from <filename>/etc/services</filename> or port
the protocol is TCP or UDP (6 or 17).</para> number. May only be specified if the protocol is TCP or UDP (6 or 17).
</listitem> If the PROTOCOL is "ipp2p", then this column is interpreted as an
ipp2p option without the leading "--" (default "ipp2p"). For a list of
value ipp2p options, as root type <command>iptables -m ipp2p
--help</command>.</para>
</listitem>
<listitem> <listitem>
<para><emphasis role="bold">USER/GROUP</emphasis> - This column may only <para><emphasis role="bold">SOURCE PORT</emphasis>- Source Port
be non-empty if the CHAIN is OUTPUT. The column may contain:</para> number. Service name from /etc/services or port number. May only be
specified if the protocol is TCP or UDP (6 or 17).</para>
</listitem>
<programlisting> [!][&lt;user name or number&gt;][:&lt;group name or number&gt;][+&lt;program name&gt;]</programlisting> <listitem>
<para><emphasis role="bold">USER/GROUP</emphasis> - This column may
only be non-empty if the CHAIN is OUTPUT. The column may
contain:</para>
<para>When this column is non-empty, the rule applies only if the <programlisting> [!][&lt;user name or number&gt;][:&lt;group name or number&gt;][+&lt;program name&gt;]</programlisting>
program generating the output is running under the effective
&lt;user&gt; and/or &lt;group&gt; specified (or is NOT running under
that id if "!" is given).</para>
<para>Examples:</para> <para>When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
&lt;user&gt; and/or &lt;group&gt; specified (or is NOT running under
that id if "!" is given).</para>
<simplelist> <para>Examples:</para>
<member>joe #program must be run by joe</member>
<member>:kids #program must be run by a member of the 'kids' <simplelist>
group.</member> <member>joe #program must be run by joe</member>
<member>!:kids #program must not be run by a member of the 'kids' <member>:kids #program must be run by a member of the 'kids'
group</member> group.</member>
<member>+upnpd #program named upnpd (This feature was removed from <member>!:kids #program must not be run by a member of the 'kids'
Netfilter in kernel version 2.6.14).</member> group</member>
</simplelist>
</listitem>
</itemizedlist>
<para>In all columns except ACTION and CHAIN, the values <member>+upnpd #program named upnpd (This feature was removed from
<quote>-</quote>,<quote>any</quote> and <quote>all</quote> are treated as Netfilter in kernel version 2.6.14).</member>
wild-cards.</para> </simplelist>
</listitem>
</itemizedlist>
<para>The accounting rules are evaluated in the Netfilter <para>In all columns except ACTION and CHAIN, the values
<quote>filter</quote> table. This is the same environment where the <quote>-</quote>,<quote>any</quote> and <quote>all</quote> are treated as
<quote>rules</quote> file rules are evaluated and in this environment, DNAT wild-cards.</para>
has already occurred in inbound packets and SNAT has not yet occurred on
outbound ones.</para>
<para>Accounting rules are not stateful -- each rule only handles traffic in <para>The accounting rules are evaluated in the Netfilter
one direction. For example, if eth0 is your internet interface, and you have <quote>filter</quote> table. This is the same environment where the
a web server in your DMZ connected to eth1, then to count HTTP traffic in <quote>rules</quote> file rules are evaluated and in this environment,
both directions requires two rules:</para> DNAT has already occurred in inbound packets and SNAT has not yet occurred
on outbound ones.</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE <para>Accounting rules are not stateful -- each rule only handles traffic
in one direction. For example, if eth0 is your internet interface, and you
have a web server in your DMZ connected to eth1, then to count HTTP
traffic in both directions requires two rules:</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT # PORT PORT
DONE - eth0 eth1 tcp 80 DONE - eth0 eth1 tcp 80
DONE - eth1 eth0 tcp - 80</programlisting> DONE - eth1 eth0 tcp - 80</programlisting>
<para>Associating a counter with a chain allows for nice reporting. For <para>Associating a counter with a chain allows for nice reporting. For
example:</para> example:</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE <programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT # PORT PORT
web:COUNT - eth0 eth1 tcp 80 web:COUNT - eth0 eth1 tcp 80
web:COUNT - eth1 eth0 tcp - 80 web:COUNT - eth1 eth0 tcp - 80
@ -184,11 +190,11 @@
web:COUNT - eth1 eth0 tcp - 443 web:COUNT - eth1 eth0 tcp - 443
DONE web</programlisting> DONE web</programlisting>
<para>Now <quote>shorewall show web</quote> (or "shorewall-lite show web" <para>Now <quote>shorewall show web</quote> (or "shorewall-lite show web"
for Shorewall Lite users) will give you a breakdown of your web for Shorewall Lite users) will give you a breakdown of your web
traffic:</para> traffic:</para>
<programlisting> [root@gateway shorewall]# shorewall show web <programlisting> [root@gateway shorewall]# shorewall show web
Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003 Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003
Counters reset Wed Aug 20 09:48:00 PDT 2003 Counters reset Wed Aug 20 09:48:00 PDT 2003
@ -202,9 +208,9 @@
29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#</programlisting> [root@gateway shorewall]#</programlisting>
<para>Here is a slightly different example:</para> <para>Here is a slightly different example:</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE <programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT # PORT PORT
web - eth0 eth1 tcp 80 web - eth0 eth1 tcp 80
web - eth1 eth0 tcp - 80 web - eth1 eth0 tcp - 80
@ -213,11 +219,11 @@
COUNT web eth0 eth1 COUNT web eth0 eth1
COUNT web eth1 eth0</programlisting> COUNT web eth1 eth0</programlisting>
<para>Now <quote>shorewall show web</quote> (or "shorewall-lite show web" <para>Now <quote>shorewall show web</quote> (or "shorewall-lite show web"
for Shorewall Lite users) simply gives you a breakdown by input and for Shorewall Lite users) simply gives you a breakdown by input and
output:</para> output:</para>
<programlisting> [root@gateway shorewall]# shorewall show accounting web <programlisting> [root@gateway shorewall]# shorewall show accounting web
Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003 Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
Counters reset Wed Aug 20 10:24:33 PDT 2003 Counters reset Wed Aug 20 10:24:33 PDT 2003
@ -225,7 +231,9 @@
Chain accounting (3 references) Chain accounting (3 references)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443</programlisting>
<programlisting>
11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80 11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443 0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
@ -235,16 +243,16 @@
11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#</programlisting> [root@gateway shorewall]#</programlisting>
<para>Here's how the same example would be constructed on an HTTP server <para>Here's how the same example would be constructed on an HTTP server
with only one interface (eth0).</para> with only one interface (eth0).</para>
<caution> <caution>
<para>READ THE ABOVE CAREFULLY -- IT SAYS <emphasis <para>READ THE ABOVE CAREFULLY -- IT SAYS <emphasis
role="bold">SERVER</emphasis>. If you want to account for web browsing, role="bold">SERVER</emphasis>. If you want to account for web browsing,
you have to reverse the rules below.</para> you have to reverse the rules below.</para>
</caution> </caution>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE <programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT # PORT PORT
web - eth0 - tcp 80 web - eth0 - tcp 80
web - - eth0 tcp - 80 web - - eth0 tcp - 80
@ -253,12 +261,12 @@
COUNT web eth0 COUNT web eth0
COUNT web - eth0</programlisting> COUNT web - eth0</programlisting>
<para>Note that with only one interface, only the SOURCE (for input rules) <para>Note that with only one interface, only the SOURCE (for input rules)
or the DESTINATION (for output rules) is specified in each rule.</para> or the DESTINATION (for output rules) is specified in each rule.</para>
<para>Here's the output:</para> <para>Here's the output:</para>
<programlisting> [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7 <programlisting> [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7
Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003 Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003
Counters reset Sat Oct 11 08:12:57 PDT 2003 Counters reset Sat Oct 11 08:12:57 PDT 2003
@ -276,7 +284,54 @@
11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0 11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0
[root@mail shorewall]#</programlisting> [root@mail shorewall]#</programlisting>
<para>For an example of integrating Shorewall Accounting with MRTG, see <para>For an example of integrating Shorewall Accounting with MRTG, see
<ulink <ulink
url="http://www.nightbrawler.com/code/shorewall-stats/">http://www.nightbrawler.com/code/shorewall-stats/</ulink>.</para> url="http://www.nightbrawler.com/code/shorewall-stats/">http://www.nightbrawler.com/code/shorewall-stats/</ulink>.</para>
</section>
<section id="Bridge">
<title>Accounting with Bridges</title>
<para>The structure of the accounting rules changes slightly when there
are <ulink url="bridge-Shorewall-perl.html">bridges</ulink> defined in the
Shorewall configuration. Because of the restrictions imposed by Netfilter
in kernel 2.6.21 and later, output accounting rules must be segregated
from forwarding and input rules. To accomplish this separation,
Shorewall-perl creates two accounting chains:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">accounting</emphasis> - for input and
forwarded traffic.</para>
</listitem>
<listitem>
<para><emphasis role="bold">accountout</emphasis> - for output
traffic.</para>
</listitem>
</itemizedlist>
<para>If the CHAIN column contains '-', then:</para>
<itemizedlist>
<listitem>
<para>If the SOURCE column in a rule includes the name of the firewall
zone (e.g., $FW), then the default chain to insert the rule into is
<emphasis role="bold">accountout</emphasis> only.</para>
</listitem>
<listitem>
<para>Otherwise, if the DEST in the rule is <emphasis
role="bold">any</emphasis> or <emphasis role="bold">all</emphasis> or
0.0.0.0/0, then the rule is added to both <emphasis
role="bold">accounting</emphasis> and <emphasis
role="bold">accountout</emphasis>.</para>
</listitem>
<listitem>
<para>Otherwise, the rule is added to <emphasis
role="bold">accounting</emphasis> only.</para>
</listitem>
</itemizedlist>
</section>
</article> </article>