diff --git a/Shorewall-docs/Accounting.html b/Shorewall-docs/Accounting.html
new file mode 100755
index 000000000..5577681ec
--- /dev/null
+++ b/Shorewall-docs/Accounting.html
@@ -0,0 +1,118 @@
+
+
+
+
+
+
+
+ Shorewall Accounting
+
+
+
+Shorewall and Traffic Accounting
+
+Shorewall Traffic Accounting support was added in Shorewall release
+1.4.7.
+
+Shorewall accounting rules are described in the file
+/etc/shorewall/accounting. By default, the accounting rules are placed
+in a chain called "accounting" and can thus be displayed using
+"shorewall show accounting". All traffic passing into, out of or
+through the firewall traverses the accounting chain including traffic
+that will later be rejected by interface
+options such as "tcpflags" and "maclist". If your kernel doesn't
+support the connection tracking match extension (Kernel 2.4.21) then
+some traffic rejected under 'norfc1918' will not traverse the
+accounting chain.
+
+The columns in the accounting file are as follows:
+
+ - ACTION - What to do when
+a
+match is found. Possible values are:
+
+ - COUNT- Simply count the match and continue trying to
+match the
+packet with the following accounting rules
+ - DONE- Count the match and don't attempt to match any following
+accounting rules.
+ - <chain> - The
+name of a chain to jump to. Shorewall will create the chain
+automatically. If the name of the chain is followed by ":COUNT" then a
+COUNT rule matching this rule will automatically be added to <chain>. Chain names must start
+with a letter, must be composed of letters and digits, and may contain
+underscores ("_") and periods ("."). Beginning with Shorewall version
+1.4.8, chain names man also contain embedded dashes ("-") and are not
+required to start with a letter.
+
+
+ - CHAIN - The name of the
+chain where the accounting rule is to be added. If empty or "-" then
+the
+"accounting" chain is assumed.
+
+ - SOURCE - Packet Source.
+The name of an interface, an address (host or net) or an interface name
+followed by ":" and a host or net address.
+ - DESTINATION - Packet
+Destination Format the same as the SOURCE column.
+ - PROTOCOL - A protocol
+name
+(from /etc/protocols) or a protocol number.
+ - DEST PORT - Destination
+Port number. Service name from /etc/services or port number. May only
+be
+specified if the protocol is TCP or UDP (6 or 17).
+ - SOURCE PORT- Source Port
+number. Service name from /etc/services or port number. May only be
+specified if the protocol is TCP or UDP (6 or 17).
+
+
+In all columns except ACTION and CHAIN, the values "-","any" and "all"
+are treated as wild-cards.
+
+The accounting rules are evaluated in the Netfilter 'filter' table.
+This is the same environment where the 'rules' file rules are evaluated
+and in this environment, DNAT has already occurred in inbound packets
+and SNAT has not yet occurred on outbound ones.
+
+Accounting rules are not stateful -- each rule only handles traffic in
+one direction. For example, if eth0 is your internet interface and you
+have a web server in your DMZ connected to eth1 then to count HTTP
+traffic in both directions requires two rules:
+ #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
DONE - eth0 eth1 tcp 80
DONE - eth1 eth0 tcp - 80
+Associating a counter with a chain allows for nice reporting. For
+example:
+ #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web:COUNT - eth0 eth1 tcp 80
web:COUNT - eth1 eth0 tcp - 80
web:COUNT - eth0 eth1 tcp 443
web:COUNT - eth1 eth0 tcp - 443
DONE web
+Now "shorewall show web" will give you a breakdown of your web traffic:
+
+
[root@gateway shorewall]# shorewall show web
Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003
Counters reset Wed Aug 20 09:48:00 PDT 2003
Chain web (4 references)
pkts bytes target prot opt in out source destination
11 1335 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
18 1962 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#
+
+ #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web - eth0 eth1 tcp 80
web - eth1 eth0 tcp - 80
web - eth0 eth1 tcp 443
web - eth1 eth0 tcp - 443
COUNT web eth0 eth1
COUNT web eth1 eth0
+Now "shorewall show web" simply gives you a breakdown by input and
+output:
+
+[root@gateway shorewall]# shorewall show accounting web
Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
Counters reset Wed Aug 20 10:24:33 PDT 2003
Chain accounting (3 references)
pkts bytes target prot opt in out source destination
8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
Chain web (4 references)
pkts bytes target prot opt in out source destination
8767 727K all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#
+Here's how the same example would be constructed on an HTTP server
+(READ THAT FOLKS -- IT SAYS SERVER. If you want to
+account for web browsing, you have to reverse the rules below) with
+only
+one interface (eth0):
+#ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web - eth0 - tcp 80
web - - eth0 tcp - 80
web - eth0 - tcp 443
web - - eth0 tcp - 443
COUNT web eth0 -
COUNT web - eth0
+Note that with only one interface, only the SOURCE (for input rules) or
+the DESTINATION (for output rules) is specified in each rule.
+
+Here's the output:
+[root@mail shorewall]# shorewall show accounting web
Shorewall-1.4.7 Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003
Counters reset Sat Oct 11 08:12:57 PDT 2003
Chain accounting (3 references)
pkts bytes target prot opt in out source destination
8767 727K web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
11506 13M web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
Chain web (4 references)
pkts bytes target prot opt in out source destination
8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0
11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0
[root@mail shorewall]#
+Last updated 12/06/2003 - Tom Eastep
+Copyright
+© 2003 Thomas M. Eastep.
+
+
+
+
diff --git a/Shorewall-docs/User_defined_Actions.html b/Shorewall-docs/User_defined_Actions.html
new file mode 100755
index 000000000..8a0ebb564
--- /dev/null
+++ b/Shorewall-docs/User_defined_Actions.html
@@ -0,0 +1,117 @@
+
+
+
+
+ User-defined Actions
+
+
+
+User-defined Actions
+
+Prior to Shorewall version 1.4.9, rules in /etc/shorewall/rules were
+limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.).
+Beginning with Shorewall version 1.4.9, users may use sequences of
+these elementary operations to define more complex actions.
+
+To define a new action:
+
+ - Add a line to /etc/shorewall/actions that names your new action.
+Action names must be valid shell variable names as well as valid
+Netfilter chain names. It is recommended that the name you select for a
+new action begins with with a capital letter; that way, the name won't
+conflict with a Shorewall-defined chain name.
+
+ - Once you have defined your new action name (ActionName), then
+copy /etc/shorewall/action.template to /etc/shorewall/action.ActionName
+(for example, if your new action name is "Foo" then copy
+/etc/shorewall/action.template to /etc/shorewall/action.foo).
+ - Now modify the new file to define the new action.
+
+Columns in the action.template file are as follows.
+
+
+ - TARGET - Must be ACCEPT, DROP, REJECT, LOG, QUEUE or
+<action> where <action> is a previously-defined action. The
+TARGET may optionally be followed by a colon (":") and a syslog log
+level (e.g, REJECT:info or ACCEPT:debugging). This causes the packet to
+be logged at the specified level. You may also specify ULOG (must be in
+upper case) as a log level.This will log to the ULOG target for routing
+to a separate log through use of ulogd
+(http://www.gnumonks.org/projects/ulogd).
+
+
+ - SOURCE - Source hosts to which the rule applies. A
+comma-separated list of subnets and/or hosts. Hosts may be specified by
+IP or MAC address; mac addresses must begin with "~" and must use "-"
+as a separator.
+
+Alternatively, clients may be specified by interface name. For example,
+eth1 specifies a client that communicates with the firewall system
+through eth1. This may be optionally followed by another colon (":")
+and an IP/MAC/subnet address as described above (e.g.,
+eth1:192.168.1.5).
+
+
+ - DEST - Location of Server. Same as above with the exception that
+MAC addresses are not allowed.
+
+Unlike in the SOURCE column, you may specify a range of up to 256 IP
+addresses using the syntax <first
+ip>-<last ip>.
+
+
+ - PROTO - Protocol - Must be "tcp", "udp", "icmp", a number, or
+"all".
+
+
+ - DEST PORT(S) - Destination Ports. A comma-separated list of Port
+names (from /etc/services), port numbers or port ranges; if the
+protocol is "icmp", this column is interpreted as the destination
+icmp-type(s).
+
+A port range is expressed as <low
+port>:<high port>.
+
+This column is ignored if PROTOCOL = all but must be entered if any of
+the following ields are supplied. In that case, it is suggested that
+this field contain "-".
+
+If your kernel contains multi-port match support, then only a single
+Netfilter rule will be generated if in this list and the CLIENT PORT(S)
+list below:
+1. There are 15 or less ports listed.
+2. No port ranges are included.
+Otherwise, a separate rule will be generated for each port.
+
+
+ - RATE LIMIT - You may rate-limit the rule by placing a value in
+this columN:
+
+
+<rate>/<interval>[:<burst>]
+
+where <rate> is the number of connections per <interval>
+("sec" or "min") and <burst> is the largest burst permitted. If
+no <burst> is given, a value of 5 is assumed. There may be no
+whitespace embedded in the specification.
+
+
+Example: 10/sec:20
+
+Example:
+
+/etc/shorewall/actions:
+
+LogAndAccept
+
+/etc/shorewall/action.LogAndAccept
+
+LOG:info
+ACCEPT
+Last Updated 12/09/2003 - Tom Eastep
+Copyright
+© 2001, 2002, 2003 Thomas M. Eastep.
+
+