#!/usr/local/bin/bash # firewall addon set # made to count user-traffic and httpd-traffic (per-port-80) # counter variable counts traffic to/from each UID # # Zoidial, Inc. # Eric Thern, 2001 zoidial@yahoo.com # # v0.1 08/23/2001 created for shell boxes # v0.2 12/10/2001 created for a shell/jailed box all-in-one combo for new network # # # add counts for every IP address on the system # for i in `cat /jail/JAIL-IPS`; do `ipfw -q add 00002 count ip from $i to any; ipfw -q add 00002 count ip from any to $i`; done # # add global rate-limits of 30K/s with a queue of 10K/s on each IP address found in /home (for the jailed system) # e=10; for i in `cat /jail/JAIL-IPS`; do `ipfw -q add 00250 pipe $e ip from $i to any; ipfw -q add 00250 pipe $e ip from any to $i; ipfw -q pipe $e config bw 30Kbytes/s queue 10Kbytes`; e=`expr $e + 1`; done # counter variable for per-UID accounting count="/sbin/ipfw -q add 00002 count ip from any to any uid" # counter variable for per-port or per-ip accounting countport="/sbin/ipfw -q add 00004 count tcp from any" # counter variable for all IP addresses countall="/sbin/ipfw -q add 00006 count ip from" # delete firewalls /sbin/ipfw -q delete 2 4 6 200 201 202 210 211 212 220 221 222 250 251 252 echo "-" echo "Adding usernames to rule 00002" echo "." for i in `cat /etc/passwd | cut -f1 -d:`; do ${count} $i; done echo ".." echo "UID counting finished" echo "-" echo "setting up per-port accounting" echo "." for i in `cat /etc/ports`; do `${countport} to any $i ; ${countport} $i to any`; done echo ".." echo "Finished setting up per-port accounting" echo "-" echo "setting up per-ip accounting" echo "." for i in `ifconfig -a | grep 10.0.0 | cut -f2 -d ' '`; do `${countall} any to $i; ${countall} $i to any`; done echo ".." echo "Finished setting up per-ip accounting" echo "-" echo "adding ipfw pipe configurations" echo "." ipfw -q add 00200 pipe 1 log logamount 200 udp from any to any frag ipfw -q add 00201 pipe 2 udp from any to any out ipfw -q add 00202 pipe 3 udp from any to any in ipfw -q add 00210 pipe 4 log logamount 200 icmp from any to any frag ipfw -q add 00211 pipe 5 icmp from any to any out ipfw -q add 00212 pipe 6 icmp from any to any in ipfw -q add 00220 pipe 7 log logamount 200 igmp from any to any frag ipfw -q add 00221 pipe 8 igmp from any to any out ipfw -q add 00222 pipe 9 igmp from any to any in echo ".." echo "finished adding ipfw pipes" echo "-" echo "adding the pipe bandwidth configurations" echo "." ipfw -q pipe 1 config bw 10Kbit/s queue 10Kbytes ipfw -q pipe 2 config bw 500Kbit/s queue 20Kbytes ipfw -q pipe 3 config bw 500Kbit/s queue 20Kbytes ipfw -q pipe 4 config bw 10Kbit/s queue 10Kbytes ipfw -q pipe 5 config bw 0.2Mbit/s queue 10Kbytes ipfw -q pipe 6 config bw 0.2Mbit/s queue 10Kbytes ipfw -q pipe 7 config bw 10Kbit/s queue 10Kbytes ipfw -q pipe 8 config bw 10Kbit/s queue 10Kbytes ipfw -q pipe 9 config bw 10Kbit/s queue 10Kbytes echo ".." echo "finished adding the pipe configs" echo "-" echo "Script finished"