Hi,
I''m using shorewall version 2.2.3 on Debian Sarge and I tried to setup
rate limiting on incoming SSH connections, which are DNATed to an
internal host (like the example "DNAT<4/min:8> net loc:192.168.1.3
tcp ssh"
from the documentation). However on the firewall there is also an sshd
running, which is only accesible on port 1022 via a REDIRECT action.
First, when I specify the rate limiting after the DNAT action, I get
the following error when running ''shorewall restart'':
Error: Invalid Action in rule "DNAT<3/min> net ltr:${SSH_HOST} tcp
ssh"
If I place the same rate limit specification in the RATE LIMIT column,
shorewall starts without problems.
Secondly, this configuration does not do exactly what I expected it to
do: it does rate limit the DNAT, but when that rate limit has been
exceeded, the connection is just accepted to the firewall: I would
have expected it to be rejected or dropped.
This I tried to solve by adding a rule to explicitly reject net to
firewall ssh connections. However I think that this in turn conflicts
with the REDIRECT of port 1022 to 22 on the firewall: incoming port
1022 connections also get rejected.
I have reverted the configuration because of these problems, but if
more info is needed, I''ll try to setup this configuration again.
Below are the config files.
Jaap Eldering
======== params =========
NET_IF=eth0
LOC_IF=eth1
LOC_NET=10.14
LOC_MASK=22
LOC_BCAST=${LOC_NET}.0.255
LTR_NET=${LOC_NET}.0
VPN_NET=${LOC_NET}.3
SSH_HOST=10.14.0.8
X_HOST=10.14.0.8
======= zones ==========
net Net Internet
ltr Local trusted Local trusted (loc subnet)
loc Local Local networks
vpn VPN VPN clients zone
dmz DMZ Demilitarized zone
======= hosts ==========
ltr $LOC_IF:10.14.0.0/24 maclist,routeback
vpn tun+:10.14.3.0/24 routeback
loc $LOC_IF:10.14.0.0/$LOC_MASK routeback
======= masq ===========
$NET_IF $LOC_IF
$LOC_IF:${SSH_HOST} 10.14.0.0/22 10.14.0.1 tcp ssh
======= policy =========
ltr all CONTINUE
vpn $FW ACCEPT
loc net ACCEPT
loc $FW ACCEPT
$FW all ACCEPT
net all REJECT ULOG
all all REJECT ULOG
======= rules ==========
ACCEPT all all icmp 8
ACCEPT all $FW tcp domain,http,https
ACCEPT all $FW tcp smtp,pop3s,imaps,submission
ACCEPT all $FW tcp cvspserver
ACCEPT all $FW tcp 5222,5223,5269 # jabberd
ACCEPT all $FW udp domain,ntp,openvpn
DNAT net ltr:${X_HOST} udp xdmcp
DNAT net ltr:${SSH_HOST} tcp ssh - - 3/min
DNAT vpn ltr:${SSH_HOST} tcp ssh
DNAT loc ltr:${SSH_HOST} tcp ssh - $EXT_IP
REJECT:ULOG net $FW tcp ssh
REDIRECT net 22 tcp 1022
DNAT net ltr:${LTR_NET}.2:22 tcp 2022
DNAT net ltr:${LTR_NET}.3:22 tcp 3022
DNAT net ltr:${LTR_NET}.4:22 tcp 4022
DNAT net ltr:${LTR_NET}.5:22 tcp 5022
DNAT net ltr:${LTR_NET}.6:22 tcp 6022
DNAT net ltr:${LTR_NET}.7:22 tcp 7022
DNAT net ltr:${LTR_NET}.8:22 tcp 8022
DNAT net ltr:${LTR_NET}.9:22 tcp 9022
REJECT net $FW udp 20031 20031
REJECT net:131.211.45.229 $FW udp ipp
REJECT net $FW udp 513
REJECT net:131.211.34.112 $FW udp 500
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642