Hi, i am using squid as a transparent proxy. i have added this 3 lines to my rules file ACCEPT $FW net tcp www ACCEPT loc $FW tcp 8080 REDIRECT loc 8080 tcp www - !192.168.100.2 i want to limit the number of connection that are made from every pc on the network to the proxy server. if i change the 2nd rule to ACCEPT loc $FW tcp 8080 - - s:PROXY:10/sec:15 this will limit the connection for the complete network. how do i do this so that i dont have to add separate rule for each PC. Thanks! ------------------------------------------------------------ Swapnil Jain ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev
Swapnil Jain wrote:> Hi, > > i am using squid as a transparent proxy. i have added this 3 lines to my rules file > > > ACCEPT $FW net tcp www > ACCEPT loc $FW tcp 8080 > REDIRECT loc 8080 tcp www - !192.168.100.2 > > > i want to limit the number of connection that are made from every pc on the network to the proxy server. if i change the 2nd rule to > > ACCEPT loc $FW tcp 8080 - - s:PROXY:10/sec:15 > > > this will limit the connection for the complete network.No -- that limits per PC. And you may as well change the REDIRECT rule to a REDIRECT- rule since you are already accepting connections to port 8080 from the loc zone. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev
Thanks Tom, so REDIRECT loc 8080 tcp www - !192.168.100.2 s:PROXY:10/sec:15 would work as well. and what should be an ideal number of connection allowed per pc, is 10/sec ok or too less. Thanks! ------------------------------------------------------------ Swapnil Jain On 12-Feb-2010, at 8:37 PM, Tom Eastep wrote:> Swapnil Jain wrote: >> Hi, >> >> i am using squid as a transparent proxy. i have added this 3 lines to my rules file >> >> >> ACCEPT $FW net tcp www >> ACCEPT loc $FW tcp 8080 >> REDIRECT loc 8080 tcp www - !192.168.100.2 >> >> >> i want to limit the number of connection that are made from every pc on the network to the proxy server. if i change the 2nd rule to >> >> ACCEPT loc $FW tcp 8080 - - s:PROXY:10/sec:15 >> >> >> this will limit the connection for the complete network. > > No -- that limits per PC. And you may as well change the REDIRECT rule > to a REDIRECT- rule since you are already accepting connections to port > 8080 from the loc zone. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, > Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW > http://p.sf.net/sfu/solaris-dev2dev_______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev
Swapnil Jain wrote:> Thanks Tom, > > so > > REDIRECT loc 8080 tcp www - !192.168.100.2 s:PROXY:10/sec:15 > > would work as well.It occurs to me that the Shorewall compiler''s handling of the above rule is wrong in all Shorewall-perl versions that support it. The generated ''-m hashlimit'' match is being applied twice to each rule; once in the NAT table and once in the filter table. I''ll release a fix for that shortly. But in the mean time, I would recommend using two rules: REDIRECT- (with no RATE LIMIT) and an ACCEPT rule that includes the RATE LIMIT.> > and what should be an ideal number of connection allowed per pc, is 10/sec ok or too less. >I have no idea. I''ve never tried to limit HTTP connections per-IP but 10/sec seems high, given that you have a generous burst value (15). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev
i think applying rate limit to the ACCEPT rule didnt work, the applying to the REDIRECT rule works. i am using 4.4.4.1 i am still confused about the burst value ? Thanks! ------------------------------------------------------------ Swapnil Jain ( http://swapnil-indore.blogspot.com/ ) Networking & Security Consultant ( http://www.pisces.net.in ) Indore, India ------------------------------------------------------------ E-mail: swapnil@pisces.net.in GTalk : swapnil@pisces.net.in MSN: jswapnil@hotmail.com Skype : sj1410 YIM : sj1410 ------------------------------------------------------------ On 13-Feb-2010, at 8:40 PM, Tom Eastep wrote:> Swapnil Jain wrote: >> Thanks Tom, >> >> so >> >> REDIRECT loc 8080 tcp www - !192.168.100.2 s:PROXY:10/sec:15 >> >> would work as well. > > It occurs to me that the Shorewall compiler''s handling of the above rule > is wrong in all Shorewall-perl versions that support it. The generated > ''-m hashlimit'' match is being applied twice to each rule; once in the > NAT table and once in the filter table. I''ll release a fix for that > shortly. But in the mean time, I would recommend using two rules: > REDIRECT- (with no RATE LIMIT) and an ACCEPT rule that includes the RATE > LIMIT. > >> >> and what should be an ideal number of connection allowed per pc, is 10/sec ok or too less. >> > > I have no idea. I''ve never tried to limit HTTP connections per-IP but > 10/sec seems high, given that you have a generous burst value (15). > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, > Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW > http://p.sf.net/sfu/solaris-dev2dev_______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev
On Sun, 2010-02-14 at 12:39 +0530, Swapnil Jain wrote:> i think applying rate limit to the ACCEPT rule didnt work, the applying to the REDIRECT rule works. > i am using 4.4.4.1 > > i am still confused about the burst value ?Look at the description of LOGRATE in the output of ''man shorewall.conf''. It describes how burst and rate work. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev