diff --git a/Shorewall-docs/Accounting.xml b/Shorewall-docs/Accounting.xml index fb9f0c0bb..cfc7ea3c1 100755 --- a/Shorewall-docs/Accounting.xml +++ b/Shorewall-docs/Accounting.xml @@ -2,6 +2,8 @@
+ + Shorewall Traffic Accounting @@ -26,8 +28,8 @@ document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. @@ -36,13 +38,14 @@ Shorewall accounting rules are described in the file /etc/shorewall/accounting. By default, the accounting rules are placed in a - chain called "accounting" and can thus be displayed using - "shorewall show accounting". All traffic passing into, out of or - through the firewall traverses the accounting chain including traffic that - will later be rejected by interface options such as "tcpflags" and - "maclist". If your kernel doesn't support the connection - tracking match extension (Kernel 2.4.21) then some traffic rejected under - 'norfc1918' will not traverse the accounting chain. + chain called accounting and can thus be displayed using + shorewall show accounting. All traffic passing into, out of + or through the firewall traverses the accounting chain including traffic + that will later be rejected by interface options such as tcpflags + and maclist. If your kernel doesn't support the + connection tracking match extension (Kernel 2.4.21) then some traffic + rejected under norfc1918 will not traverse the accounting + chain. The columns in the accounting file are as follows: @@ -54,75 +57,75 @@ COUNT- Simply count the match and continue trying to match the - packet with the following accounting rules + packet with the following accounting rules DONE- Count the match and don't attempt to match any - following accounting rules. + following accounting rules. <chain> - The name of a chain to jump to. Shorewall will create the chain automatically. If the name - of the chain is followed by ":COUNT" then a COUNT rule + of the chain is followed by :COUNT then a COUNT rule matching this rule will automatically be added to <chain>. Chain names must start with a letter, must be composed of letters - and digits, and may contain underscores ("_") and periods - ("."). Beginning with Shorewall version 1.4.8, chain names - man also contain embedded dashes ("-") and are not required - to start with a letter. + and digits, and may contain underscores (_) and + periods (.). Beginning with Shorewall version 1.4.8, + chain names man also contain embedded dashes (-) and + are not required to start with a letter. CHAIN - The name of the chain - where the accounting rule is to be added. If empty or "-" then - the "accounting" chain is assumed. + where the accounting rule is to be added. If empty or - + then the accounting chain is assumed. SOURCE - Packet Source. The name of an interface, an address (host or net) or an interface name followed - by ":" and a host or net address. + by : and a host or net address. DESTINATION - Packet Destination - Format the same as the SOURCE column. + Format the same as the SOURCE column. PROTOCOL - A protocol name (from - /etc/protocols) or a protocol number. + /etc/protocols) or a protocol number. DEST PORT - Destination Port number. Service name from /etc/services or port number. May only be - specified if the protocol is TCP or UDP (6 or 17). + specified if the protocol is TCP or UDP (6 or 17). - SOURCE PORT- Source Port number. + SOURCE PORT- Source Port number. Service name from /etc/services or port number. May only be specified if the protocol is TCP or UDP (6 or 17). - In all columns except ACTION and CHAIN, the values - "-","any" and "all" are treated as wild-cards. + In all columns except ACTION and CHAIN, the values -,any + and all are treated as wild-cards. - The accounting rules are evaluated in the Netfilter 'filter' - table. This is the same environment where the 'rules' file rules are - evaluated and in this environment, DNAT has already occurred in inbound - packets and SNAT has not yet occurred on outbound ones. + The accounting rules are evaluated in the Netfilter filter + table. This is the same environment where the rules file + rules are evaluated and in this environment, DNAT has already occurred in + inbound packets and SNAT has not yet occurred on outbound ones. Accounting rules are not stateful -- each rule only handles traffic in one direction. For example, if eth0 is your internet interface and you have a web server in your DMZ connected to eth1 then to count HTTP traffic in - both directions requires two rules: + both directions requires two rules: #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE # PORT PORT @@ -140,8 +143,8 @@ web:COUNT - eth1 eth0 tcp - 443 DONE web - Now "shorewall show web" will give you a breakdown of your web - traffic: + Now shorewall show web will give you a breakdown of + your web traffic: [root@gateway shorewall]# shorewall show web Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003 @@ -168,8 +171,8 @@ COUNT web eth0 eth1 COUNT web eth1 eth0 - Now "shorewall show web" simply gives you a breakdown by input - and output: + Now shorewall show web simply gives you a breakdown by + input and output: [root@gateway shorewall]# shorewall show accounting web Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003