ericdes wrote:> I have this rule in place:
> --------------------------------------
> DNAT net dmz:10.0.0.7 tcp 80,443
> - 94.23.242.44
> --------------------------------------
>
> When I change this policy:
> --------------------------------------
> net dmz DROP
> --------------------------------------
>
> to:
> --------------------------------------
> net dmz DROP info 8/sec:30
> --------------------------------------
>
> I see some drops in the logs, which results in some timeouts. Although
> most of the traffic from 94.23.242.44 is well redirected to 10.0.0.7.
> --------------------------------------
> Jan 20 19:24:29 ks309069 kernel: Shorewall:net2dmz:DROP:IN=eth0
> OUT=vmbr0 SRC=74.127.214.2 DST=10.0.0.7 LEN=52 TOS=0x00 PREC=0x00
> TTL=244 ID=7235 DF PROTO=TCP SPT=49967 DPT=80 WINDOW=32768 RES=0x00 SYN
> URGP=0
> Jan 20 19:24:40 ks309069 kernel: Shorewall:net2dmz:DROP:IN=eth0
> OUT=vmbr0 SRC=90.26.201.69 DST=10.0.0.7 LEN=48 TOS=0x00 PREC=0x00
> TTL=115 ID=18626 DF PROTO=TCP SPT=61468 DPT=80 WINDOW=8192 RES=0x00 SYN
> URGP=0
> --------------------------------------
>
> Isn''t the rule sufficient to forward all http/https requests to
> 94.23.242.44 to be redirected to the virtual server at 10.0.0.7?
The policy RATE/LIMIT applies to ALL traffic from net->dmz, including
the redirected traffic; when you limit that traffic, some of it may get
dropped.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world''s best and brightest in the field, creating opportunities for
Conference
attendees to learn about information security''s most important issues
through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev