Convert Accounting.html to Docbook XML

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@965 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-12-26 05:46:58 +00:00
parent 9ee03db521
commit eea857540b
2 changed files with 228 additions and 118 deletions

View File

@ -1,118 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Accounting</title>
<meta name="author" content="Tom Eastep">
</head>
<body>
<h1 style="text-align: center;">Shorewall and Traffic Accounting<br>
</h1>
Shorewall Traffic Accounting support was added in Shorewall release
1.4.7.<br>
<br>
Shorewall accounting rules are described in the file
/etc/shorewall/accounting. By default, the accounting rules are placed
in a chain called "accounting" and can thus be displayed using
"shorewall show accounting". All traffic passing into, out of or
through the firewall traverses the accounting chain including traffic
that will later be rejected by <a href="Documentation.htm#Interfaces">interface
options</a> such as "tcpflags" and "maclist". If your kernel doesn't
support the connection tracking match extension (Kernel 2.4.21) then
some traffic rejected under 'norfc1918' will not traverse the
accounting chain.<br>
<br>
The columns in the accounting file are as follows:<br>
<ul>
<li><span style="font-weight: bold;">ACTION</span> - What to do when
a
match is found. Possible values are:</li>
<ul>
<li>COUNT- Simply count the match and&nbsp; continue trying to
match the
packet with the following accounting rules</li>
<li>DONE- Count the match and don't attempt to match any following
accounting rules.</li>
<li>&lt;<span style="font-style: italic;">chain</span>&gt; - The
name of a chain to jump to. Shorewall will create the chain
automatically. If the name of the chain is followed by ":COUNT" then a
COUNT rule matching this rule will automatically be added to &lt;<span
style="font-style: italic;">chain</span>&gt;. Chain names must start
with a letter, must be composed of letters and digits, and may contain
underscores ("_") and periods ("."). Beginning with Shorewall version
1.4.8, chain names man also contain embedded dashes ("-") and are not
required to start with a letter.<br>
</li>
</ul>
<li><span style="font-weight: bold;">CHAIN </span>- The name of the
chain where the accounting rule is to be added. If empty or "-" then
the
"accounting" chain is assumed.<br>
</li>
<li><span style="font-weight: bold;">SOURCE</span> - Packet Source.
The name of an interface, an address (host or net) or an interface name
followed by ":" and a host or net address.</li>
<li><span style="font-weight: bold;">DESTINATION</span> - Packet
Destination Format the same as the SOURCE column.</li>
<li><span style="font-weight: bold;">PROTOCOL</span> - A protocol
name
(from /etc/protocols) or a protocol number.</li>
<li><span style="font-weight: bold;">DEST PORT</span> - Destination
Port number. Service name from /etc/services or port number. May only
be
specified if the protocol is TCP or UDP (6 or 17).</li>
<li><span style="font-weight: bold;">SOURCE PORT</span>- Source Port
number. Service name from /etc/services or port number. May only be
specified if the protocol is TCP or UDP (6 or 17).<br>
</li>
</ul>
In all columns except ACTION and CHAIN, the values "-","any" and "all"
are treated as wild-cards.<br>
&nbsp;<br>
The accounting rules are evaluated in the Netfilter 'filter' table.
This is the same environment where the 'rules' file rules are evaluated
and in this environment, DNAT has already occurred in inbound packets
and SNAT has not yet occurred on outbound ones.<br>
&nbsp;<br>
Accounting rules are not stateful -- each rule only handles traffic in
one direction. For example, if eth0 is your internet interface and you
have a web server in your DMZ connected to eth1 then to count HTTP
traffic in both directions requires two rules:&nbsp;<br>
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> DONE - eth0 eth1 tcp 80<br> DONE - eth1 eth0 tcp - 80</pre>
Associating a counter with a chain allows for nice reporting. For
example:<br>
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> web:COUNT - eth0 eth1 tcp 80<br> web:COUNT - eth1 eth0 tcp - 80<br> web:COUNT - eth0 eth1 tcp 443<br> web:COUNT - eth1 eth0 tcp - 443<br> DONE web<br></pre>
Now "shorewall show web" will give you a breakdown of your web traffic:<br>
<div style="margin-left: 40px;">
<pre>[root@gateway shorewall]# shorewall show web<br>Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003<br> <br>Counters reset Wed Aug 20 09:48:00 PDT 2003<br> <br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 11 1335 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 18 1962 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br> 0 0 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br> 29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0<br>[root@gateway shorewall]#</pre>
</div>
Here's a slightly different example:<br>
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> web - eth0 eth1 tcp 80<br> web - eth1 eth0 tcp - 80<br> web - eth0 eth1 tcp 443<br> web - eth1 eth0 tcp - 443<br><br> COUNT web eth0 eth1<br> COUNT web eth1 eth0<br></pre>
Now "shorewall show web" simply gives you a breakdown by input and
output:<br>
<br>
<pre style="margin-left: 40px;">[root@gateway shorewall]# shorewall show accounting web <br>Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003<br> <br>Counters reset Wed Aug 20 10:24:33 PDT 2003<br> <br>Chain accounting (3 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br>11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0<br>11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0<br>[root@gateway shorewall]#<br></pre>
Here's how the same example would be constructed on an HTTP server
(READ THAT FOLKS -- IT SAYS <span style="text-decoration: underline;"><span
style="font-weight: bold;">SERVER</span></span>. If you want to
account for web browsing, you have to reverse the rules below) with
only
one interface (eth0):<br>
<pre style="margin-left: 40px;">#ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br># PORT PORT<br>web - eth0 - tcp 80<br>web - - eth0 tcp - 80<br>web - eth0 - tcp 443<br>web - - eth0 tcp - 443<br><br>COUNT web eth0 -<br>COUNT web - eth0<br></pre>
Note that with only one interface, only the SOURCE (for input rules) or
the DESTINATION (for output rules) is specified in each rule.<br>
<br>
Here's the output:<br>
<pre style="margin-left: 40px;">[root@mail shorewall]# shorewall show accounting web <br>Shorewall-1.4.7 Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003<br> <br>Counters reset Sat Oct 11 08:12:57 PDT 2003<br> <br>Chain accounting (3 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 0 0 web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br>11506 13M web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br>11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0<br>[root@mail shorewall]#<br></pre>
<p align="left"><font size="2">Last updated 12/06/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

228
Shorewall-docs/Accounting.xml Executable file
View File

@ -0,0 +1,228 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<articleinfo>
<title>Shorewall Traffic Accounting</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2003-12-06</pubdate>
<copyright>
<year>2003</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled &#34;<ulink
url="GnuCopyright.htm">GNU Free Documentation License</ulink>&#34;.</para>
</legalnotice>
</articleinfo>
<para>Shorewall Traffic Accounting support was added in Shorewall release
1.4.7.</para>
<para>Shorewall accounting rules are described in the file
/etc/shorewall/accounting. By default, the accounting rules are placed in a
chain called &#34;accounting&#34; and can thus be displayed using
&#34;shorewall show accounting&#34;. All traffic passing into, out of or
through the firewall traverses the accounting chain including traffic that
will later be rejected by interface options such as &#34;tcpflags&#34; and
&#34;maclist&#34;. If your kernel doesn&#39;t support the connection
tracking match extension (Kernel 2.4.21) then some traffic rejected under
&#39;norfc1918&#39; will not traverse the accounting chain.</para>
<para>The columns in the accounting file are as follows:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">ACTION </emphasis>- What to do when a match
is found. Possible values are:</para>
<itemizedlist>
<listitem>
<para>COUNT- Simply count the match and continue trying to match the
packet with the following accounting rules </para>
</listitem>
<listitem>
<para>DONE- Count the match and don&#39;t attempt to match any
following accounting rules. </para>
</listitem>
<listitem>
<para><emphasis>&#60;chain&#62;</emphasis> - The name of a chain to
jump to. Shorewall will create the chain automatically. If the name
of the chain is followed by &#34;:COUNT&#34; then a COUNT rule
matching this rule will automatically be added to &#60;chain&#62;.
Chain names must start with a letter, must be composed of letters
and digits, and may contain underscores (&#34;_&#34;) and periods
(&#34;.&#34;). Beginning with Shorewall version 1.4.8, chain names
man also contain embedded dashes (&#34;-&#34;) and are not required
to start with a letter.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><emphasis role="bold">CHAIN</emphasis> - The name of the chain
where the accounting rule is to be added. If empty or &#34;-&#34; then
the &#34;accounting&#34; chain is assumed.</para>
</listitem>
<listitem>
<para><emphasis role="bold">SOURCE</emphasis> - Packet Source. The name
of an interface, an address (host or net) or an interface name followed
by &#34;:&#34; and a host or net address.</para>
</listitem>
<listitem>
<para><emphasis role="bold">DESTINATION</emphasis> - Packet Destination
Format the same as the SOURCE column. </para>
</listitem>
<listitem>
<para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name (from
/etc/protocols) or a protocol number. </para>
</listitem>
<listitem>
<para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
number. Service name from /etc/services or port number. May only be
specified if the protocol is TCP or UDP (6 or 17). </para>
</listitem>
<listitem>
<para> <emphasis role="bold">SOURCE PORT</emphasis>- Source Port number.
Service name from /etc/services or port number. May only be specified if
the protocol is TCP or UDP (6 or 17).</para>
</listitem>
</itemizedlist>
<para>In all columns except ACTION and CHAIN, the values
&#34;-&#34;,&#34;any&#34; and &#34;all&#34; are treated as wild-cards.</para>
<para>The accounting rules are evaluated in the Netfilter &#39;filter&#39;
table. This is the same environment where the &#39;rules&#39; file rules are
evaluated and in this environment, DNAT has already occurred in inbound
packets and SNAT has not yet occurred on outbound ones.</para>
<para>Accounting rules are not stateful -- each rule only handles traffic in
one direction. For example, if eth0 is your internet interface and you have
a web server in your DMZ connected to eth1 then to count HTTP traffic in
both directions requires two rules: </para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
DONE - eth0 eth1 tcp 80
DONE - eth1 eth0 tcp - 80</programlisting>
<para>Associating a counter with a chain allows for nice reporting. For
example:</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web:COUNT - eth0 eth1 tcp 80
web:COUNT - eth1 eth0 tcp - 80
web:COUNT - eth0 eth1 tcp 443
web:COUNT - eth1 eth0 tcp - 443
DONE web</programlisting>
<para>Now &#34;shorewall show web&#34; will give you a breakdown of your web
traffic:</para>
<programlisting> [root@gateway shorewall]# shorewall show web
Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003
Counters reset Wed Aug 20 09:48:00 PDT 2003
Chain web (4 references)
pkts bytes target prot opt in out source destination
11 1335 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
18 1962 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#</programlisting>
<para>Here is a slightly different example:</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web - eth0 eth1 tcp 80
web - eth1 eth0 tcp - 80
web - eth0 eth1 tcp 443
web - eth1 eth0 tcp - 443
COUNT web eth0 eth1
COUNT web eth1 eth0</programlisting>
<para>Now &#34;shorewall show web&#34; simply gives you a breakdown by input
and output:</para>
<programlisting> [root@gateway shorewall]# shorewall show accounting web
Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
Counters reset Wed Aug 20 10:24:33 PDT 2003
Chain accounting (3 references)
pkts bytes target prot opt in out source destination
8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
Chain web (4 references)
pkts bytes target prot opt in out source destination
8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#</programlisting>
<para>Here&#39;s how the same example would be constructed on an HTTP server
(READ THAT FOLKS -- IT SAYS <emphasis role="underline">SERVER</emphasis>. If
you want to account for web browsing, you have to reverse the rules below)
with only one interface (eth0):</para>
<programlisting> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web - eth0 - tcp 80
web - - eth0 tcp - 80
web - eth0 - tcp 443
web - - eth0 tcp - 443
COUNT web eth0
COUNT web - eth0</programlisting>
<para>Note that with only one interface, only the SOURCE (for input rules)
or the DESTINATION (for output rules) is specified in each rule.</para>
<para>Here&#39;s the output:</para>
<programlisting> [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7
Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003
Counters reset Sat Oct 11 08:12:57 PDT 2003
Chain accounting (3 references)
pkts bytes target prot opt in out source destination
8767 727K web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
11506 13M web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
Chain web (4 references)
pkts bytes target prot opt in out source destination
8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0
11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0
[root@mail shorewall]#</programlisting>
</article>