Date: Fri, 9 May 2003 10:15:15 +0000 From: Philip Reynolds <philip.reynolds@rfc-networks.ie> To: freebsd-ipfw@freebsd.org Subject: Re: Counting rules Message-ID: <20030509101515.GA5791@rfc-networks.ie> In-Reply-To: <882655426.1052472578528.JavaMail.nobody@app1.ni.bg> References: <882655426.1052472578528.JavaMail.nobody@app1.ni.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
Evgeny Ivanov <eivanov@abv.bg> 25 lines of wisdom included:
>
> Hello everyone ,
> I have a problem setting up the accounting rules .
> I want to account all incoming and outgoing traffic per each of the stations that are behind NAT box . The situtaion is something like this :
>
> add divert natd all from any to any via rl0
> add allow all from any to any
> add count from 192.168.1.10 to any out
> add count from any to 192.168.1.10 in
>
> And the last two rues not working .
>
> Can you please tell me what the hell I am missing ? :))
the count rules are in the wrong place.
Remember the following:
The divert rules converts INTERNAL (i.e. 192.168.0.0/24) to
EXTERNAL (i.e. some.ip)
You need the following wrapped around your divert natd rule.
ipfw add 1000 count ip from ${HOST} to not ${INTERNAL} via rl0 out
ipfw add 2000 divert natd all from any to any via rl0
ipfw add 3000 count ip from not ${INTERNAL} to ${HOST} via rl0 in
The first rule counts packets going OUT through the external
interface (``rl0'') to an external network (i.e. not the internal
network) from the host. This has to match before the packet is
NAT'd (or rewritten) because the source address is going to change
once that happens.
Remember, on your NAT interface, traffic leaving for an external
network is rewritten, so rules applying to internal hosts must be
before the NAT translation.
The second rule is your divert natd rule (with an explicit rule
number)
The third rule is your count rule, matching packets from the
external network (once again, this is defined as not the internal
network) to your host coming in through rl0.
I made an assumption that you only want to match packets that leave
your external network, that may not be true, in which case you would
change the "not ${INTERNAL}" of rule 1000 and 3000 to "any"
--
Philip Reynolds | RFC Networks Ltd.
philip.reynolds@rfc-networks.ie | +353 (0)1 8832063
http://people.rfc-networks.ie/~phil | www.rfc-networks.ie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030509101515.GA5791>