Hello, Currently, I am rate limiting SSH connections to one of my servers, (running shorewall 3.2.6) like this: SSH/ACCEPT net $FW - - - - 1/min:2 Now, I''d like to allow some machines in the net zone to not be rate limited. Is this possible? I was thinking something like this: SSH/ACCEPT net:w.x.y.z/a $FW SSH/ACCEPT net $FW - - - - 1/min:2 That way, machines in the w.x.y.z/a IP block match the first rule, which has no rate limit, and all others match the rate limited rule. I could not find much on this and I am hesitant to experiment with a production server without some confirmation that I am headed in the right direction. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Roberto C. Sanchez wrote:> Hello, > > Currently, I am rate limiting SSH connections to one of my servers, > (running shorewall 3.2.6) like this: > > SSH/ACCEPT net $FW - - - - 1/min:2 > > Now, I''d like to allow some machines in the net zone to not be rate > limited. Is this possible? I was thinking something like this: > > SSH/ACCEPT net:w.x.y.z/a $FW > SSH/ACCEPT net $FW - - - - 1/min:2 > > That way, machines in the w.x.y.z/a IP block match the first rule, which > has no rate limit, and all others match the rate limited rule. I could > not find much on this and I am hesitant to experiment with a production > server without some confirmation that I am headed in the right > direction. >You are headed in the right direction. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Wed, Jan 03, 2007 at 07:44:10AM -0800, Tom Eastep wrote:> Roberto C. Sanchez wrote: > > > > SSH/ACCEPT net:w.x.y.z/a $FW > > SSH/ACCEPT net $FW - - - - 1/min:2 > > > > You are headed in the right direction. >Works like a charm. To confirm, though, the non-rate limited rule must come first as it is more restrictive in the hosts to which it applies, correct? If the order were reversed, I imagine everything would match the first, as it is more general and then nothing would get past it. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Roberto C. Sanchez wrote:> On Wed, Jan 03, 2007 at 07:44:10AM -0800, Tom Eastep wrote: >> Roberto C. Sanchez wrote: >>> SSH/ACCEPT net:w.x.y.z/a $FW >>> SSH/ACCEPT net $FW - - - - 1/min:2 >>> >> You are headed in the right direction. >> > > Works like a charm. > > To confirm, though, the non-rate limited rule must come first as it is > more restrictive in the hosts to which it applies, correct? If the > order were reversed, I imagine everything would match the first, as it > is more general and then nothing would get past it.That''s correct. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV