Shorewall users - Aug 2003 - How to rate limit forwarded connections

Hi there- thanks for this extremely useful tool!

Quick (and hopefully) simple question.  I want to forward web
connections from my firewall''s external interface to my webserver in my
DMZ.  However, I want to rate limit the number of connections allowed. 
So far the only way I can see to do this is to change the default
net->dmz policy to accept, set a rate limit on this policy, and then set
rules to deny everything but web traffic to the DMZ (or rely on the
shorewall config on the webserver to block all but web traffic.)

This seems counter-intuitive and unlike every other application for
shorewall I can think of.  I''d also rather do this on a port-by-port
basis rather than by zone-to-zone policy (i.e. I don''t want ssh and web
traffic to counted together- otherwise ssh connections may easily be
dos''ed by web connections.)

I''m sure I''ve missed something obvious- can anyone illuminate
what it
is?

(Note- I''ve assumed that rate limits for drop/reject policies are
ignored and don''t affect any overriding rules.)

Thanks in advance,

Julian

On Wed, 2003-08-13 at 01:07, Julian Rendell wrote:
> Hi there- thanks for this extremely useful tool!
> 
> Quick (and hopefully) simple question.  I want to forward web
> connections from my firewall''s external interface to my webserver
in my
> DMZ.  However, I want to rate limit the number of connections allowed. 
> So far the only way I can see to do this is to change the default
> net->dmz policy to accept, set a rate limit on this policy, and then set
> rules to deny everything but web traffic to the DMZ (or rely on the
> shorewall config on the webserver to block all but web traffic.)
> 
> This seems counter-intuitive and unlike every other application for
> shorewall I can think of.  I''d also rather do this on a
port-by-port
> basis rather than by zone-to-zone policy (i.e. I don''t want ssh
and web
> traffic to counted together- otherwise ssh connections may easily be
> dos''ed by web connections.)
> 
> I''m sure I''ve missed something obvious- can anyone
illuminate what it
> is?
> 
Shorewall provides no other way do rate limit -- Sorry.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2003-08-13 at 06:47, Tom Eastep wrote:
> Shorewall provides no other way do rate limit -- Sorry.
> 
But it is something that I''ve had on my list of things to do for some
time. There''s a first hack in the CVS /Shorewall project. You will need
the latest Snapshot (20030809) and you will need to:

a) Move the ''firewall'' file from CVS to
/usr/share/shorewall/firewall
b) Move the ''accounting'' file from CVS to
/etc/shorewall/accounting
c) Look at the comments in the ''rules'' file from CVS to see
how to do
rate limiting. Sorry that I don''t have time to document it further
right
now.

A couple of things to note:

a) Rate limits on DNAT and REDIRECT rules occurs in the nat table; the
associated rule in the filter table isn''t rate limited.
b) Where logging is specified on a rate-limited rule, the logging rule
will also be rate-limited.

-Tom 
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2003-08-13 at 10:11, Tom Eastep wrote:
> c) Look at the comments in the ''rules'' file from CVS to
see how to do
> rate limiting. Sorry that I don''t have time to document it further
right
> now.
Duh -- I guess I could forward the comments to the list.

See the attachment.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
-------------- next part --------------
#	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE
#			or LOG.
#
#				ACCEPT   -- allow the connection request
#				DROP     -- ignore the request
#				REJECT   -- disallow the request and return an
#					    icmp-unreachable or an RST packet.
#				DNAT     -- Forward the request to another
#					    system (and optionally another
#					    port).
#				DNAT-    -- Advanced users only.
#					    Like DNAT but only generates the
#					    DNAT iptables rule and not
#					    the companion ACCEPT rule.
#				REDIRECT -- Redirect the request to a local
#					    port on the firewall.
#				REDIRECT-
#					 -- Advanced users only.
#					    Like REDIRET but only generates the
#					    REDIRECT iptables rule and not
#					    the companion ACCEPT rule.
#				CONTINUE -- (For experts only). Do not process
#					    any of the following rules for this
#					    (source zone,destination zone). If
#					    The source and/or destination IP
#					    address falls into a zone defined
#					    later in /etc/shorewall/zones, this
#					    connection request will be passed
#					    to the rules defined for that
#					    (those) zone(s).
#				LOG      -- Simply log the packet and continue.
#
#			You may rate-limit the rule by optionally
#			following ACCEPT,DNAT[-] or REDIRECT[-] with
# 
#				< <rate>/<interval>:<burst> >
#
#			where <rate> is the number of connections per 
#			<interval> ("sec" or "min") and <burst> is
the
#			largest burst permitted. There may be
#			no whitespace embedded in the specification.
#
#				Example: ACCEPT<10/sec:20>
#
#			The ACTION and rate limit may optionally be followed
#			by ":" and a syslog log level (e.g, REJECT:info). This
#			causes the packet to be logged at the specified level.
#
#			You may also specify ULOG (must be in upper case) as a
#			log level.This will log to the ULOG target for routing
#			to a separate log through use of ulogd
#			(http://www.gnumonks.org/projects/ulogd).

On Wed, 2003-08-13 at 10:42, Tom Eastep wrote:
> On Wed, 2003-08-13 at 10:11, Tom Eastep wrote:
> 
> > c) Look at the comments in the ''rules'' file from CVS
to see how to do
> > rate limiting. Sorry that I don''t have time to document it
further right
> > now.
> 
There is now documentation online:

	http://shorewall.net/Documentation.htm#Rules

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

WOW! From ''No'' to ''in cvs'' to
''documented'' inside a day- incredible!!!!
:-)

Thanks very much for writing the documentation; I''ll be adding that to
my web-servers firewall when I finish building it (no offence intended,
but I''m a little nervous of putting CVS code on my main firewall) and
look forward to seeing the results.

Thanks again-

best wishes

Julian Rendell