[Shorewall-users] SHorewall and Accounting Scripts

Tom Eastep teastep@shorewall.net
Tue, 23 Apr 2002 06:34:36 -0700 (PDT)


On Tue, 23 Apr 2002, John Leach wrote:

> Hi,
> 
> I've also been looking at iam.
> 
> It seems to me that this dump needs to be run from cron every few hours, so 
> the shorewall start file is not the place for it.
> Probably need to create a shell script containing those few lines and execute 
> that from cron.
> 
> On a more general note my assessment on using iam is that to get analysis by 
> ip address range requires setting up entries in the hosts file for the 
> different ip address ranges where accounting is required.
> 

No -- don't do that; see below

> Accounting by port seems to be impossible (please correct me anyone if I am 
> wrong) because most of the traffic comes through as a single 
> "RELATED,ESTABLISHED'  byte count for a zone2zone chain; and is not broken 
> down by port.

Yes -- that's what stateful firewalls do.

> If anyone understands what I am talking about and can suggest a work around I 
> would be grateful.

In /etc/shorewall/start:

	run_iptables -N account
	<add all of your CPU-eating accounting rules here>
	for chain in INPUT OUTPUT FORWARD do
		run_iptables -I $chain -j account
        done

The accounting rules should NOT have a target and you should use 
'run_iptables' rather than running iptables directly.

Example:

	run_iptables -A account -p tcp --dport 80

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net