> i'm currently (happily) using eigerstein2beta with a small home network. > i'd like to share my permanent connection to the net with my > next-door-neighbour but maintain separate networks. i also have a web > server that needs to be moved into a DMZ. > > the thing to do seems to be to add another couple of network cards to > the firewall (one for the dmz and a new interface and subnet for my > neighbour's place). > > could i ask, using e2b, is it easy to add another interface to the > 'safe' side of the firewall?
Yes. It's very easy. Just add the additional interface, and add the new internal network to INTERN_NET > likewise, is it straightforward to prevent > packets routing from one subnet to the next but allow both to access the > DMZ? This is what happens by default unless you specifically create rules to allow the internal networks to talk. > and finally, i pay by the byte for downloaded data and would like to > equitably split the costs with my neighbour. i understand that its > possible to obtain accounting data from the firewall rules. in this > case, i'd like to count bytes coming in the external interface and being > routed to one of the two (nonDMZ) subnets. i've looked at the default > firewall rules in e2b and wondered what the hell i could touch with > safety. could you please suggest where to start looking (or if someone > has achieved same, where i could find such preexisiting scripts). Simply add 'accounting' rules (an ipchains rule with no target) to the top of the forward or output chain. You can then use the byte counters to determine bandwidth usage. Something like: ipchains -I output -s ! <dmz-net> -d <your-net> ipchains -I output -s ! <dmz-net> -d <neighbor-net> This counts packets/bytes headed to the two internal nets from the internet, but allows 'free' downloads from your DMZ. This will produce incorrect results if you actually have traffic between the two internal nets (that will get counted as well), but you said you wanted to deny that anyway... You can get the current packet/byte counts by parsing the output of "ipchains -nvL output --exact" > is it > wise to mail out this info daily (in case of a crash and the logs/state > disappearing) to be collated ? Yes, or use something like snmp and mrtg to gather statistics automatically... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
