Date: Fri, 9 May 2003 10:15:15 +0000 From: Philip Reynolds <philip.reynolds@rfc-networks.ie> To: freebsd-ipfw@freebsd.org Subject: Re: Counting rules Message-ID: <20030509101515.GA5791@rfc-networks.ie> In-Reply-To: <882655426.1052472578528.JavaMail.nobody@app1.ni.bg> References: <882655426.1052472578528.JavaMail.nobody@app1.ni.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
Evgeny Ivanov <eivanov@abv.bg> 25 lines of wisdom included: > > Hello everyone , > I have a problem setting up the accounting rules . > I want to account all incoming and outgoing traffic per each of the stations that are behind NAT box . The situtaion is something like this : > > add divert natd all from any to any via rl0 > add allow all from any to any > add count from 192.168.1.10 to any out > add count from any to 192.168.1.10 in > > And the last two rues not working . > > Can you please tell me what the hell I am missing ? :)) the count rules are in the wrong place. Remember the following: The divert rules converts INTERNAL (i.e. 192.168.0.0/24) to EXTERNAL (i.e. some.ip) You need the following wrapped around your divert natd rule. ipfw add 1000 count ip from ${HOST} to not ${INTERNAL} via rl0 out ipfw add 2000 divert natd all from any to any via rl0 ipfw add 3000 count ip from not ${INTERNAL} to ${HOST} via rl0 in The first rule counts packets going OUT through the external interface (``rl0'') to an external network (i.e. not the internal network) from the host. This has to match before the packet is NAT'd (or rewritten) because the source address is going to change once that happens. Remember, on your NAT interface, traffic leaving for an external network is rewritten, so rules applying to internal hosts must be before the NAT translation. The second rule is your divert natd rule (with an explicit rule number) The third rule is your count rule, matching packets from the external network (once again, this is defined as not the internal network) to your host coming in through rl0. I made an assumption that you only want to match packets that leave your external network, that may not be true, in which case you would change the "not ${INTERNAL}" of rule 1000 and 3000 to "any" -- Philip Reynolds | RFC Networks Ltd. philip.reynolds@rfc-networks.ie | +353 (0)1 8832063 http://people.rfc-networks.ie/~phil | www.rfc-networks.ie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030509101515.GA5791>