This is something I'd *really* like. I have to pay for IP traffic per
byte, and am at the moment using an old beatup 386 as a firewall/proxy
(using the TIS toolkit & SOCKS) to keep track of what my users are
doing and bill them. However, this isn't terribly transparent to the
users (I'd like to let them compile their own network apps) and the 386
is a little flakey. (It's a hobby, no-profit BBS, so I can't justify
the cost of better h/w)
> Its not possible to assign an ownership to things like retries, acks, icmp
> messages etc very easily however.
Counting them as "system overhead" is probably fair enough.
> For the basic "user xxx no net access", "user yyy local only" you can
> probably set up such an arrangement with minimal firewall hacking. You can
> also write your own loadable firewall modules rather than further hack on
> the main ip firewall and that would probably be the clean approach.
I don't suppose there is any documentation on how to do this, further
than what's in the source of course. I had a go at doing a user accounting
thing a little while ago, and got to the point where I could measure
outgoing traffic reasonably well. But I still don't really understand
it very well, and it was really ugly. :-)
One thing I noticed about the two other user-IP-accounting patches was
that traffic from an incoming connection (ie someone telnetting in) was
assigned to "root". Which isn't really right, but I guess might be
non-trivial to correct. Would that be because it was in.telnetd that
owned the socket?
- Colin
--
email colin@inzo.co.nz |Ace: "Doctor, we did good, didn't we?"
colin@utf.gen.nz |Doctor: "Perhaps. Time will tell. Always does."
finger colin@inzo.co.nz | - REMEMBRENCE OF THE DALEKS
http://utf.gen.nz/~colin/ +-----------------------------------------------
#include <stddisclaimer.h> | Campaigning for 4 line sigs