Julian Rendell
2003-Aug-13 01:07 UTC
[Shorewall-users] How to rate limit forwarded connections
Hi there- thanks for this extremely useful tool! Quick (and hopefully) simple question. I want to forward web connections from my firewall''s external interface to my webserver in my DMZ. However, I want to rate limit the number of connections allowed. So far the only way I can see to do this is to change the default net->dmz policy to accept, set a rate limit on this policy, and then set rules to deny everything but web traffic to the DMZ (or rely on the shorewall config on the webserver to block all but web traffic.) This seems counter-intuitive and unlike every other application for shorewall I can think of. I''d also rather do this on a port-by-port basis rather than by zone-to-zone policy (i.e. I don''t want ssh and web traffic to counted together- otherwise ssh connections may easily be dos''ed by web connections.) I''m sure I''ve missed something obvious- can anyone illuminate what it is? (Note- I''ve assumed that rate limits for drop/reject policies are ignored and don''t affect any overriding rules.) Thanks in advance, Julian
Tom Eastep
2003-Aug-13 06:47 UTC
[Shorewall-users] How to rate limit forwarded connections
On Wed, 2003-08-13 at 01:07, Julian Rendell wrote:> Hi there- thanks for this extremely useful tool! > > Quick (and hopefully) simple question. I want to forward web > connections from my firewall''s external interface to my webserver in my > DMZ. However, I want to rate limit the number of connections allowed. > So far the only way I can see to do this is to change the default > net->dmz policy to accept, set a rate limit on this policy, and then set > rules to deny everything but web traffic to the DMZ (or rely on the > shorewall config on the webserver to block all but web traffic.) > > This seems counter-intuitive and unlike every other application for > shorewall I can think of. I''d also rather do this on a port-by-port > basis rather than by zone-to-zone policy (i.e. I don''t want ssh and web > traffic to counted together- otherwise ssh connections may easily be > dos''ed by web connections.) > > I''m sure I''ve missed something obvious- can anyone illuminate what it > is? >Shorewall provides no other way do rate limit -- Sorry. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Aug-13 10:12 UTC
[Shorewall-users] How to rate limit forwarded connections
On Wed, 2003-08-13 at 06:47, Tom Eastep wrote:> Shorewall provides no other way do rate limit -- Sorry. >But it is something that I''ve had on my list of things to do for some time. There''s a first hack in the CVS /Shorewall project. You will need the latest Snapshot (20030809) and you will need to: a) Move the ''firewall'' file from CVS to /usr/share/shorewall/firewall b) Move the ''accounting'' file from CVS to /etc/shorewall/accounting c) Look at the comments in the ''rules'' file from CVS to see how to do rate limiting. Sorry that I don''t have time to document it further right now. A couple of things to note: a) Rate limits on DNAT and REDIRECT rules occurs in the nat table; the associated rule in the filter table isn''t rate limited. b) Where logging is specified on a rate-limited rule, the logging rule will also be rate-limited. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Aug-13 10:42 UTC
[Shorewall-users] How to rate limit forwarded connections
On Wed, 2003-08-13 at 10:11, Tom Eastep wrote:> c) Look at the comments in the ''rules'' file from CVS to see how to do > rate limiting. Sorry that I don''t have time to document it further right > now.Duh -- I guess I could forward the comments to the list. See the attachment. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -------------- next part -------------- # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE # or LOG. # # ACCEPT -- allow the connection request # DROP -- ignore the request # REJECT -- disallow the request and return an # icmp-unreachable or an RST packet. # DNAT -- Forward the request to another # system (and optionally another # port). # DNAT- -- Advanced users only. # Like DNAT but only generates the # DNAT iptables rule and not # the companion ACCEPT rule. # REDIRECT -- Redirect the request to a local # port on the firewall. # REDIRECT- # -- Advanced users only. # Like REDIRET but only generates the # REDIRECT iptables rule and not # the companion ACCEPT rule. # CONTINUE -- (For experts only). Do not process # any of the following rules for this # (source zone,destination zone). If # The source and/or destination IP # address falls into a zone defined # later in /etc/shorewall/zones, this # connection request will be passed # to the rules defined for that # (those) zone(s). # LOG -- Simply log the packet and continue. # # You may rate-limit the rule by optionally # following ACCEPT,DNAT[-] or REDIRECT[-] with # # < <rate>/<interval>:<burst> > # # where <rate> is the number of connections per # <interval> ("sec" or "min") and <burst> is the # largest burst permitted. There may be # no whitespace embedded in the specification. # # Example: ACCEPT<10/sec:20> # # The ACTION and rate limit may optionally be followed # by ":" and a syslog log level (e.g, REJECT:info). This # causes the packet to be logged at the specified level. # # You may also specify ULOG (must be in upper case) as a # log level.This will log to the ULOG target for routing # to a separate log through use of ulogd # (http://www.gnumonks.org/projects/ulogd).
Tom Eastep
2003-Aug-13 12:57 UTC
[Shorewall-users] How to rate limit forwarded connections
On Wed, 2003-08-13 at 10:42, Tom Eastep wrote:> On Wed, 2003-08-13 at 10:11, Tom Eastep wrote: > > > c) Look at the comments in the ''rules'' file from CVS to see how to do > > rate limiting. Sorry that I don''t have time to document it further right > > now. >There is now documentation online: http://shorewall.net/Documentation.htm#Rules -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Julian Rendell
2003-Aug-14 21:36 UTC
[Shorewall-users] How to rate limit forwarded connections
WOW! From ''No'' to ''in cvs'' to ''documented'' inside a day- incredible!!!! :-) Thanks very much for writing the documentation; I''ll be adding that to my web-servers firewall when I finish building it (no offence intended, but I''m a little nervous of putting CVS code on my main firewall) and look forward to seeing the results. Thanks again- best wishes Julian Rendell