IPACCT

Jez Hancock jez.hancock at munk.nu
Tue Dec 9 06:06:53 PST 2003 

On Tue, Dec 09, 2003 at 04:20:46PM -0800, Doloonkhuch wrote:
> I want to control users per ip accounting. Now I using FreeBSD 5.0 and 
> IPFW2. How I enable IPACCT and how configure.
Just configure your ipfw rules to count traffic for each user on your
system.  I'll include my custom ipfw startup script which I load before
everything else with the name:

/usr/local/etc/rc.d/.000.ipfw.sh 

note the CHANGE ME lines though - also note that I DON'T use ipfw for
blocking traffic, instead opting to use ipfilter for that.  If you do
use ipfw for blocking then you could modify this script to do that as
well.

Here's the script:

#!/bin/sh
# script to add ipfw counter rules for users
# in /etc/passwd

# path to ipfw:
fw=/sbin/ipfw
sed=/usr/bin/sed
passwd_file=/etc/passwd
# CHANGE THIS:
ip="1.2.3.4"

# allowall rule:
allow_all=`echo $fw -q add 65000 allow all from any to any`

# flush cmd:
flush=`echo $fw -f -q flush`

# $users a list of all users in pw db, one per line:
# CHANGE THIS - THESE ARE THE USERS YOU *DON'T* WANT TO 
# LOG TRAFFIC FOR:
users=`$sed -E -e '/^(#|root|toor|daemon|operator|bin|tty|kmem|\
games|news|man|smmsp|bind|uucp|xten|pop|nobody|mysql|sonictown|\
test|www|sshd|ftp|cpimps|administrator|eggshell|cyrus|analog)/d' \
-e 's/:.*//' $passwd_file`

startfw () {
	# Flush the current rules:
	$flush

	# for each user, create a rule:
	for user in `echo $users`
	do
		$fw add 1 count all from any to $ip uid $user
		$fw add 2 count all from $ip to any uid $user
		$fw add 3 count all from any to any uid $user
	done

	# add counters for all traffic:
	$fw add 4 count all from any to $ip
	$fw add 5 count all from $ip to any
	$fw add 6 count all from any to any

	# add counters for dns and http:
#	$fw add 7 count all from any to $ip 53
#	$fw add 8 count all from any to $ip 80

	# make sure we allow all:
	$allow_all

	# no restriction on our block:
	$fw add 10 pipe 10 ip from any to 213.152.51.194/29
	$fw pipe 10 config bw 99999Mbyte/s

	$fw add 11 pipe 11 ip from 213.152.51.194/29 to any
	$fw pipe 11 config bw 99999Mbyte/s

	# add a bandwidth restriction on http:
	$fw add 20 pipe 20 tcp from any 80 to any out
	$fw pipe 20 config bw 25KByte/s


	# add a bandwidth restriction on ftp:
#	$fw add 12 pipe 2 tcp from any to any 20 in
#	$fw pipe 2 config bw 20Kbit/s

	# and zero all rules:
	$fw zero

	echo "ipfw accounting rules added... "
}

case "$1" in
	stop)
		$flush
		$allow_all
		$fw -q zero
		echo "ipfw accounting rules flushed..."
		;;
	start)
		startfw
		echo "ipfw accounting rules loaded..."
		;;
	*)
		echo "Usage: `basename $0` { start | stop }"
		;;
esac
> 
> Best regards
> Doloonkhuch.A 
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

-- 
Jez Hancock
 - System Administrator / PHP Developer

http://munk.nu/

More information about the freebsd-questions mailing list