From 8e54f478168030099d1fea655ce41d0d17a3878a Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 13 Dec 2003 18:13:49 +0000 Subject: [PATCH] Add new files git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@843 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/Accounting.html | 118 +++++++++++++++++++++++ Shorewall-docs/User_defined_Actions.html | 117 ++++++++++++++++++++++ 2 files changed, 235 insertions(+) create mode 100755 Shorewall-docs/Accounting.html create mode 100755 Shorewall-docs/User_defined_Actions.html diff --git a/Shorewall-docs/Accounting.html b/Shorewall-docs/Accounting.html new file mode 100755 index 000000000..5577681ec --- /dev/null +++ b/Shorewall-docs/Accounting.html @@ -0,0 +1,118 @@ + + + + + + + + Shorewall Accounting + + + +

Shorewall and Traffic Accounting
+

+Shorewall Traffic Accounting support was added in Shorewall release +1.4.7.
+
+Shorewall accounting rules are described in the file +/etc/shorewall/accounting. By default, the accounting rules are placed +in a chain called "accounting" and can thus be displayed using +"shorewall show accounting". All traffic passing into, out of or +through the firewall traverses the accounting chain including traffic +that will later be rejected by interface +options such as "tcpflags" and "maclist". If your kernel doesn't +support the connection tracking match extension (Kernel 2.4.21) then +some traffic rejected under 'norfc1918' will not traverse the +accounting chain.
+
+The columns in the accounting file are as follows:
+ +In all columns except ACTION and CHAIN, the values "-","any" and "all" +are treated as wild-cards.

+The accounting rules are evaluated in the Netfilter 'filter' table. +This is the same environment where the 'rules' file rules are evaluated +and in this environment, DNAT has already occurred in inbound packets +and SNAT has not yet occurred on outbound ones.

+Accounting rules are not stateful -- each rule only handles traffic in +one direction. For example, if eth0 is your internet interface and you +have a web server in your DMZ connected to eth1 then to count HTTP +traffic in both directions requires two rules: 
+
	#ACTION	CHAIN	SOURCE	DESTINATION	PROTOCOL	DEST		SOURCE
	#							PORT		PORT
	DONE	-	eth0	eth1		tcp		80
	DONE	-	eth1	eth0		tcp		-		80
+Associating a counter with a chain allows for nice reporting. For +example:
+
	#ACTION		CHAIN	SOURCE	DESTINATION	PROTOCOL	DEST		SOURCE
	#								PORT		PORT
	web:COUNT	-	eth0	eth1		tcp		80
	web:COUNT	-	eth1	eth0		tcp		-		80
	web:COUNT	-	eth0	eth1		tcp		443
	web:COUNT	-	eth1	eth0		tcp		-		443
	DONE		web
+Now "shorewall show web" will give you a breakdown of your web traffic:
+
+
[root@gateway shorewall]# shorewall show web
Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003
 
Counters reset Wed Aug 20 09:48:00 PDT 2003
 
Chain web (4 references)
 pkts bytes target     prot opt in     out     source               destination
   11  1335            tcp  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0          tcp dpt:80
   18  1962            tcp  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0          tcp spt:80
    0     0            tcp  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0          tcp dpt:443
    0     0            tcp  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0          tcp spt:443
   29  3297 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
[root@gateway shorewall]#
+
+Here's a slightly different example:
+
	#ACTION		CHAIN	SOURCE	DESTINATION	PROTOCOL	DEST		SOURCE
	#								PORT		PORT
	web		-	eth0	eth1		tcp		80
	web		-	eth1	eth0		tcp		-		80
	web		-	eth0	eth1		tcp		443
	web		-	eth1	eth0		tcp		-		443

	COUNT		web	eth0	eth1
	COUNT		web	eth1	eth0
+Now "shorewall show web" simply gives you a breakdown by input and +output:
+
+
[root@gateway shorewall]# shorewall show accounting web 
Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
 
Counters reset Wed Aug 20 10:24:33 PDT 2003
 
Chain accounting (3 references)
 pkts bytes target     prot opt in     out     source               destination
 8767  727K web        tcp  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0          tcp dpt:80
    0     0 web        tcp  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0          tcp dpt:443
11506   13M web        tcp  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0          tcp spt:80
    0     0 web        tcp  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0          tcp spt:443
Chain web (4 references)
 pkts bytes target     prot opt in     out     source               destination
 8767  727K            all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0
11506   13M            all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
[root@gateway shorewall]#
+Here's how the same example would be constructed on an HTTP server +(READ THAT FOLKS -- IT SAYS SERVER. If you want to +account for web browsing, you have to reverse the rules below) with +only +one interface (eth0):
+
#ACTION		CHAIN	SOURCE	DESTINATION	PROTOCOL	DEST		SOURCE
#								PORT		PORT
web		-	eth0	-		tcp		80
web		-	-	eth0		tcp		-		80
web		-	eth0	-		tcp		443
web		-	-	eth0		tcp		-		443

COUNT		web	eth0	-
COUNT		web	-	eth0
+Note that with only one interface, only the SOURCE (for input rules) or +the DESTINATION (for output rules) is specified in each rule.
+
+Here's the output:
+
[root@mail shorewall]# shorewall show accounting web 
Shorewall-1.4.7 Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003
 
Counters reset Sat Oct 11 08:12:57 PDT 2003
 
Chain accounting (3 references)
 pkts bytes target     prot opt in     out     source               destination
 8767  727K web        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          tcp dpt:80
    0     0 web        tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          tcp dpt:443
11506   13M web        tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0          tcp spt:80
    0     0 web        tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0          tcp spt:443
Chain web (4 references)
 pkts bytes target     prot opt in     out     source               destination
 8767  727K            all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
11506   13M            all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
[root@mail shorewall]#
+

Last updated 12/06/2003 - Tom Eastep

+

Copyright2003 Thomas M. Eastep.

+
+
+ + diff --git a/Shorewall-docs/User_defined_Actions.html b/Shorewall-docs/User_defined_Actions.html new file mode 100755 index 000000000..8a0ebb564 --- /dev/null +++ b/Shorewall-docs/User_defined_Actions.html @@ -0,0 +1,117 @@ + + + + + User-defined Actions + + + +

User-defined Actions

+
+Prior to Shorewall version 1.4.9, rules in /etc/shorewall/rules were +limited to those defined by Netfilter (ACCEPT, DROP, REJECT, etc.). +Beginning with Shorewall version 1.4.9, users may use sequences of +these elementary operations to define more complex actions.
+
+To define a new action:
+
    +
  1. Add a line to /etc/shorewall/actions that names your new action. +Action names must be valid shell variable names as well as valid +Netfilter chain names. It is recommended that the name you select for a +new action begins with with a capital letter; that way, the name won't +conflict with a Shorewall-defined chain name.
    +
    2. +
  2. Once you have defined your new action name (ActionName), then +copy /etc/shorewall/action.template to /etc/shorewall/action.ActionName +(for example, if your new action name is "Foo" then copy +/etc/shorewall/action.template to /etc/shorewall/action.foo).
    3. +
  3. Now modify the new file to define the new action.
    4. +
+Columns in the action.template file are as follows.
+
+ +Example:
+
+/etc/shorewall/actions:
+
+LogAndAccept
+
+/etc/shorewall/action.LogAndAccept
+
+LOG:info
+ACCEPT
+

Last Updated 12/09/2003 - Tom Eastep

+Copyright2001, 2002, 2003 Thomas M. Eastep.
+ +