extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-22 21:48:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Accounting: update to new config headers and update to ?SECTION

Browse Source 
Signed-off-by: Tuomo Soini <tis@foobar.fi>
This commit is contained in:
Tuomo Soini 2016-02-13 19:04:07 +02:00
parent f08ec7f44c
commit 704947a1c4
1 changed files with 33 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
docs/Accounting.xml
View File

@ -74,16 +74,14 @@
have a web server in your DMZ connected to eth1, then to count HTTP
traffic in both directions requires two rules:</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
<programlisting> #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
DONE - eth0 eth1 tcp 80
DONE - eth1 eth0 tcp - 80</programlisting>
<para>Associating a counter with a chain allows for nice reporting. For
example:</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
<programlisting> #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
web:COUNT - eth0 eth1 tcp 80
web:COUNT - eth1 eth0 tcp - 80
web:COUNT - eth0 eth1 tcp 443
@ -110,8 +108,7 @@
<para>Here is a slightly different example:</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
<programlisting> #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
web - eth0 eth1 tcp 80
web - eth1 eth0 tcp - 80
web - eth0 eth1 tcp 443
@ -152,8 +149,7 @@
you have to reverse the rules below.</para>
</caution>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
<programlisting> #ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
web - eth0 - tcp 80
web - - eth0 tcp - 80
web - eth0 - tcp 443
@ -309,7 +305,7 @@
<para>Section headers have the form:</para>
<para><option>SECTION</option>
<para><option>?SECTION</option>
<replaceable>section-name</replaceable></para>
<para>When sections are enabled:</para>
@ -414,17 +410,17 @@
lives on the firewall itself.</para>
</caution>
<programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK IPSEC
# PORT(S) PORT(S) GROUP
SECTION INPUT
<programlisting>
#ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
?SECTION INPUT
ACCOUNT(fw-net,$FW_NET) - COM_IF
ACCOUNT(dmz-net,$DMZ_NET) - COM_IF
SECTION OUTPUT
?SECTION OUTPUT
ACCOUNT(fw-net,$FW_NET) - - COM_IF
ACCOUNT(dmz-net,$DMZ_NET) - - COM_IF
SECTION FORWARD
?SECTION FORWARD
ACCOUNT(loc-net,$INT_NET) - COM_IF INT_IF
ACCOUNT(loc-net,$INT_NET) - INT_IF COM_IF
</programlisting>
@ -504,7 +500,7 @@ ACCOUNT(loc-net,$INT_NET) - INT_IF COM_IF
is eth1 with network 172.20.1.0/24. To account for all traffic between the
WAN and LAN interfaces:</para>
<programlisting>#ACTION CHAIN SOURCE DEST ...
<programlisting>#ACTION CHAIN SOURCE DEST PROTO DPORT SPORT USER MARK IPSEC
ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1
ACCOUNT(net-loc,172.20.1.0/24) - eth1 eth0</programlisting>