S. J. van Harmelen
2010-Apr-12 20:07 UTC
Using the limit action on a DNAT rule to prevent DoS attackson a specific port
Hi there. I''m reading and reading through the doc''s and previous posts, but cannot seem to find what I''m looking for. I want to create a rule that prevents DoS and maybe even DDoS attacks against a specific port. The current rule looks like this (the PORT''s and IP''s are dummies of course): #ACTION SOURCE DEST HTTP(DNAT) net loc:192.168.1.160 Now how can I convert this rule so I can use the limit action? I assume the following rule isn''t going to work correct because it misses the DNAT action: Limit:info:HTTPACCESS,3,60 net loc:192.168.1.160 tcp 80 So how should I do this? Any help or pointers the some usefull doc''s about this topic are more then welcome! Regards, Sander ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
Tom Eastep
2010-Apr-12 20:16 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
S. J. van Harmelen wrote:> I’m reading and reading through the doc’s and previous posts, but cannot > seem to find what I’m looking for. I want to create a rule that prevents > DoS and maybe even DDoS attacks against a specific port. The current > rule looks like this (the PORT’s and IP’s are dummies of course): > > #ACTION SOURCE DEST > HTTP(DNAT) net loc:192.168.1.160 > > Now how can I convert this rule so I can use the limit action? I assume > the following rule isn’t going to work correct because it misses the > DNAT action: > > Limit:info:HTTPACCESS,3,60 net loc:192.168.1.160 tcp 80 > > So how should I do this? Any help or pointers the some usefull doc’s > about this topic are more then welcome!DNAT- net loc:192.168.1.160 tcp 80 Limit:info:HTTPACCESS,3,60 net loc:102.168.1.160 tcp 80 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users
S. J. van Harmelen
2010-Apr-12 20:39 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
Thanks for your quick response Tom! But just so do I understand correctly: Can I just use both rules at the same time? Does the 'DNAT-' mean something else than 'DNAT'? I'm very glad you told me the solution, but of course I would even be more happy if I understood the solution so next time I can figure it out myself... Sander -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: maandag 12 april 2010 22:16 To: Shorewall Users Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent DoS attackson a specific port S. J. van Harmelen wrote:> I’m reading and reading through the doc’s and previous posts, but cannot > seem to find what I’m looking for. I want to create a rule that prevents > DoS and maybe even DDoS attacks against a specific port. The current > rule looks like this (the PORT’s and IP’s are dummies of course): > > #ACTION SOURCE DEST > HTTP(DNAT) net loc:192.168.1.160 > > Now how can I convert this rule so I can use the limit action? I assume > the following rule isn’t going to work correct because it misses the > DNAT action: > > Limit:info:HTTPACCESS,3,60 net loc:192.168.1.160 tcp 80 > > So how should I do this? Any help or pointers the some usefull doc’s > about this topic are more then welcome!DNAT- net loc:192.168.1.160 tcp 80 Limit:info:HTTPACCESS,3,60 net loc:102.168.1.160 tcp 80 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep
2010-Apr-12 20:53 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
S. J. van Harmelen wrote:> Thanks for your quick response Tom! But just so do I understand correctly: > > Can I just use both rules at the same time? > Does the ''DNAT-'' mean something else than ''DNAT''?man shorewall-rules. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
S. J. van Harmelen
2010-Apr-12 20:56 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
Cool, thanks! All clear now... And yes, I should have looked it up in there myself before mailing back... Cheers! -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: maandag 12 april 2010 22:54 To: Shorewall Users Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent DoS attackson a specific port S. J. van Harmelen wrote:> Thanks for your quick response Tom! But just so do I understand correctly: > > Can I just use both rules at the same time? > Does the ''DNAT-'' mean something else than ''DNAT''?man shorewall-rules. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
Jorge Armando Medina
2010-Apr-13 01:45 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
Tom Eastep wrote:> S. J. van Harmelen wrote: > >> I’m reading and reading through the doc’s and previous posts, but cannot >> seem to find what I’m looking for. I want to create a rule that prevents >> DoS and maybe even DDoS attacks against a specific port. The current >> rule looks like this (the PORT’s and IP’s are dummies of course): >> >> #ACTION SOURCE DEST >> HTTP(DNAT) net loc:192.168.1.160 >> >> Now how can I convert this rule so I can use the limit action? I assume >> the following rule isn’t going to work correct because it misses the >> DNAT action: >> >> Limit:info:HTTPACCESS,3,60 net loc:192.168.1.160 tcp 80 >> >> So how should I do this? Any help or pointers the some usefull doc’s >> about this topic are more then welcome! >> > > DNAT- net loc:192.168.1.160 tcp 80 > Limit:info:HTTPACCESS,3,60 net loc:102.168.1.160 tcp 80 >Good rule! Im going to add it to my notes :). Best regards.> -Tom >------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
S. J. van Harmelen
2010-Apr-13 07:31 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
When reading the 'man shorewall-rules' again I wonder if I can accomplice the same behavior with this single rule: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP HTTP(DNAT) net loc:192.168.1.160 - - - - s:HTTPACCESS:3/min:3 It looks to me if this has the same effect as the two rules given below (if I understand the rules correctly). So could someone then tell me what the difference is (if any) between the two ways to achieve this effect? And one last question... Both limiting rules work by counting the current connected TCP sessions right? So when you open a webpage on a webserver it sets up one TCP session on port 80 for you and then your requests (for webpages and pictures e.d.) to the webserver are all handled within that one connected TCP session right? So when using the rate limit to limit 3 connections per minute I can open 3 instances of firefox and they can all connect to the webserver and browse there, but when opening the 4th instance of firefox, it connection request will be dropped. But then after a minute (with the other 3 connections still connected) I can connect the 4th instance also because the it's a new minute and so 3 new connections can be made. Is this how these rules work? And is this the same for the rule I added above this text as the two rule I got from Tom? Or do they behave differently? Sorry if it sounds dump, by I just want to really understand correctly how these rules should be applied. Sander -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: maandag 12 april 2010 22:16 To: Shorewall Users Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent DoS attackson a specific port S. J. van Harmelen wrote:> I’m reading and reading through the doc’s and previous posts, but cannot > seem to find what I’m looking for. I want to create a rule that prevents > DoS and maybe even DDoS attacks against a specific port. The current > rule looks like this (the PORT’s and IP’s are dummies of course): > > #ACTION SOURCE DEST > HTTP(DNAT) net loc:192.168.1.160 > > Now how can I convert this rule so I can use the limit action? I assume > the following rule isn’t going to work correct because it misses the > DNAT action: > > Limit:info:HTTPACCESS,3,60 net loc:192.168.1.160 tcp 80 > > So how should I do this? Any help or pointers the some usefull doc’s > about this topic are more then welcome!DNAT- net loc:192.168.1.160 tcp 80 Limit:info:HTTPACCESS,3,60 net loc:102.168.1.160 tcp 80 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep
2010-Apr-13 13:49 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
S. J. van Harmelen wrote:> When reading the ''man shorewall-rules'' again I wonder if I can > accomplice the same behavior with this single rule: > > > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK > PORT(S) PORT(S) DEST LIMIT GROUP >HTTP(DNAT) net loc:192.168.1.160 - - - - s:HTTPACCESS:3/min:3 > > > It looks to me if this has the same effect as the two rules given > below (if I understand the rules correctly). So could someone then > tell me what the difference is (if any) between the two ways to > achieve this effect?The above rule is broken in Shorewall releases prior to 4.4.8. So I don''t recommend using it unless> > And one last question... Both limiting rules work by counting the > current connected TCP sessions right?No. The Limit action works by keeping track of how many connections were made in the last period; if that is greater than the limit, then the connection is optionally logged then dropped; otherwise, the connection is accepted. Using per-IP limiting in the RATE/LIMIT column as shown above involves a token bucket (en.wikipedia.org/wiki/Token_bucket). If the source IP has a token, then the connection is allowed and the IP has one fewer tokens; otherwise, the connection is passed to the next applicable rule. See shorewall.net/configuration_file_basics.htm#RateLimit. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
S. J. van Harmelen
2010-Apr-13 15:08 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
Again thanks for your reply Tom! I use version 4.4.8 so then I can choose which rule to use I suppose. I think I understand the differences between the options now, but I''m still not sure what''s the best choice when using the rules as DoS/DDoS prevention (like in my earlier example). I think I''ll go with the Limit action since this rule drops traffic directly when the limit is reached opposed to using the RATE/LIMIT column which allows the traffic be checked against all other rules before it gets dropped when it hits the policy for the specific zones (which is configured to log and drop). Sander -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: dinsdag 13 april 2010 15:49 To: Shorewall Users Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent DoS attackson a specific port S. J. van Harmelen wrote:> When reading the ''man shorewall-rules'' again I wonder if I can > accomplice the same behavior with this single rule: > > > #ACTION SOURCE DEST PROTO DEST SOURCEORIGINAL RATE USER/ MARK> PORT(S) PORT(S) DESTLIMIT GROUP>HTTP(DNAT) net loc:192.168.1.160 - - - -s:HTTPACCESS:3/min:3> > > It looks to me if this has the same effect as the two rules given > below (if I understand the rules correctly). So could someone then > tell me what the difference is (if any) between the two ways to > achieve this effect?The above rule is broken in Shorewall releases prior to 4.4.8. So I don''t recommend using it unless> > And one last question... Both limiting rules work by counting the > current connected TCP sessions right?No. The Limit action works by keeping track of how many connections were made in the last period; if that is greater than the limit, then the connection is optionally logged then dropped; otherwise, the connection is accepted. Using per-IP limiting in the RATE/LIMIT column as shown above involves a token bucket (en.wikipedia.org/wiki/Token_bucket). If the source IP has a token, then the connection is allowed and the IP has one fewer tokens; otherwise, the connection is passed to the next applicable rule. See shorewall.net/configuration_file_basics.htm#RateLimit. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
S. J. van Harmelen
2010-Apr-14 09:03 UTC
ERROR: Invalid zone name (mgt_ilom) : /etc/shorewall/zones (line 19)
I understand this error is due to size limit of a zone name which by default is set to 5, correct? But I don''t understand from the doc''s how to change the limit to a higher number. My largest zone name is 12 characters... In ''man shorewall-zones'' I read: ZONE - zone[:parent-zone[,parent-zone]...] Name of the zone. The names "all", "none", "SOURCE" and "DEST" are reserved and may not be used as zone names. The maximum length of a zone name is determined by the setting of the LOGFORMAT option in shorewall.conf(5). With the default LOGFORMAT, zone names can be at most 5 characters long. And in ''man shorewall.conf'' I read: LOGFORMAT=["formattemplate"] The value of this variable generate the --log-prefix setting for Shorewall logging rules. It contains a "printf" formatting template which accepts three arguments (the chain name, logging rule number (optional) and the disposition). To use LOGFORMAT with fireparse, set it as: LOGFORMAT="fp=%s:%d a=%s "If the LOGFORMAT value contains the substring "%d" then the logging rule number is calculated and formatted in that position; if that substring is not included then the rule number is not included. If not supplied or supplied as empty (LOGFORMAT="") then "Shorewall:%s:%s:" is assumed. But after reading this I still have no clue on how o change the current setting (LOGFORMAT="Shorewall:%s:%s:") to allow a 12 character zone name... Sander ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
Tom Eastep
2010-Apr-14 14:04 UTC
Re: ERROR: Invalid zone name (mgt_ilom) : /etc/shorewall/zones (line 19)
S. J. van Harmelen wrote:> > But after reading this I still have no clue on how o change the current > setting (LOGFORMAT="Shorewall:%s:%s:") to allow a 12 character zone name...The shortest usable LOGFORMAT is LOGFORMAT="%s:%s:". -Tom PS -- Some people think that LOGFORMAT is LOGFORMAT="%s %s " is easier to read. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
S. J. van Harmelen
2010-Apr-14 18:16 UTC
Re: ERROR: Invalid zone name (mgt_ilom) : /etc/shorewall/zones (line 19)
Reading your comment and reading ''man shorewall-zones'' again, I now understand how it works... Thanks! Oh, and did I say already that Shorewall is really an outstanding piece of work!! Cheers... -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: woensdag 14 april 2010 16:05 To: Shorewall Users Subject: Re: [Shorewall-users] ERROR: Invalid zone name (mgt_ilom) : /etc/shorewall/zones (line 19) S. J. van Harmelen wrote:> > But after reading this I still have no clue on how o change the current > setting (LOGFORMAT="Shorewall:%s:%s:") to allow a 12 character zonename... The shortest usable LOGFORMAT is LOGFORMAT="%s:%s:". -Tom PS -- Some people think that LOGFORMAT is LOGFORMAT="%s %s " is easier to read. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
S. J. van Harmelen
2010-Apr-14 18:44 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
When I try you rules: DNAT- net loc:192.168.1.160 tcp 80 Limit:info:HTTPACCESS,3,60 net loc:102.168.1.160 tcp 80 I receive this warning when doing 'shorewall check': WARNING: The destination zone (loc) is ignored in DNAT rules : /etc/shorewall/rules (line 34) I understand that it is just a warning, but should I change anything to get rid of the warning? Or is this the only way and should I just ignore the warning? Sander -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: maandag 12 april 2010 22:16 To: Shorewall Users Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent DoS attackson a specific port S. J. van Harmelen wrote:> I’m reading and reading through the doc’s and previous posts, but cannot > seem to find what I’m looking for. I want to create a rule that prevents > DoS and maybe even DDoS attacks against a specific port. The current > rule looks like this (the PORT’s and IP’s are dummies of course): > > #ACTION SOURCE DEST > HTTP(DNAT) net loc:192.168.1.160 > > Now how can I convert this rule so I can use the limit action? I assume > the following rule isn’t going to work correct because it misses the > DNAT action: > > Limit:info:HTTPACCESS,3,60 net loc:192.168.1.160 tcp 80 > > So how should I do this? Any help or pointers the some usefull doc’s > about this topic are more then welcome!DNAT- net loc:192.168.1.160 tcp 80 Limit:info:HTTPACCESS,3,60 net loc:102.168.1.160 tcp 80 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep
2010-Apr-14 19:31 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
S. J. van Harmelen wrote:> When I try you rules: > > DNAT- net loc:192.168.1.160 tcp 80 > Limit:info:HTTPACCESS,3,60 net loc:102.168.1.160 tcp 80 > > I receive this warning when doing ''shorewall check'': > > WARNING: The destination zone (loc) is ignored in DNAT rules : > /etc/shorewall/rules (line 34) > > I understand that it is just a warning, but should I change anything > to get rid of the warning? Or is this the only way and should I just > ignore the warning?I gave you those rules before you had mentioned what version of Shorewall you were running. Replace ''net'' with ''-'' in the first rule. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
S. J. van Harmelen
2010-Apr-14 20:17 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
You''re absolutely right about me not telling you what version I used... So I tried to substitute ''net'' with ''-'' but then I received this error: => ERROR: Missing source zone : /etc/shorewall/rules (line 34) When I substitute ''loc:192.168.1.160'' with ''-'' I get the error: => ERROR: Unknown Host (0.0.0.0/0) : /etc/shorewall/rules (line 34) But when I only substitute ''loc'' with ''-'' it works without any warnings :) So now I use: => DNAT- net -:192.168.1.160 tcp 80 => Limit:info:HTTPACCESS,3,60 net loc:102.168.1.160 tcp 80 Sander -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: woensdag 14 april 2010 21:31 To: Shorewall Users Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent DoS attackson a specific port S. J. van Harmelen wrote:> When I try you rules: > > DNAT- net loc:192.168.1.160 tcp 80 > Limit:info:HTTPACCESS,3,60 net loc:102.168.1.160 tcp 80 > > I receive this warning when doing ''shorewall check'': > > WARNING: The destination zone (loc) is ignored in DNAT rules : > /etc/shorewall/rules (line 34) > > I understand that it is just a warning, but should I change anything > to get rid of the warning? Or is this the only way and should I just > ignore the warning?I gave you those rules before you had mentioned what version of Shorewall you were running. Replace ''net'' with ''-'' in the first rule. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
S. J. van Harmelen
2010-Apr-15 14:43 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
Hi again... Today I tried to put my Shorewall config in production, but had to undo it really fast because I had connection problems. When trying to connect to our website I noticed that it connected, but then wasn''t able to load the whole page in one time. Now I understand how a webpage is loaded (each picture is a separate call to the webserver) so I know it has something to do with the limit action that I set... You already explained how the limit action works: "The Limit action works by keeping track of how many connections were made in the last period" But I still have trouble understanding what you are saying here (sorry). In the example of loading a webpage with a few pictures in it... Is every request to the server counted as a new connection? In that case I guess it''s not really useful to set a limit action on a http rule, right? As then it''s quite hard to set the correct limit number to enable normal browsing but prevent DoS''ing... I also read about the connlimit option. Should that be a better option in this case? I take it that this option does indeed just count the total numbers of concurrent TCP sessions from a specific IP address, the only drawback is that the connection aren''t counted per rule but in total over all rules, correct? Any pros and cons I miss? And the doc''s don''t say what happens when a new session is started when then limit is reached? Will the w session be logged and dropped? Sander -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: dinsdag 13 april 2010 15:49 To: Shorewall Users Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent DoS attackson a specific port S. J. van Harmelen wrote:> When reading the ''man shorewall-rules'' again I wonder if I can > accomplice the same behavior with this single rule: > > > #ACTION SOURCE DEST PROTO DEST SOURCEORIGINAL RATE USER/ MARK> PORT(S) PORT(S) DESTLIMIT GROUP>HTTP(DNAT) net loc:192.168.1.160 - - - -s:HTTPACCESS:3/min:3> > > It looks to me if this has the same effect as the two rules given > below (if I understand the rules correctly). So could someone then > tell me what the difference is (if any) between the two ways to > achieve this effect?The above rule is broken in Shorewall releases prior to 4.4.8. So I don''t recommend using it unless> > And one last question... Both limiting rules work by counting the > current connected TCP sessions right?No. The Limit action works by keeping track of how many connections were made in the last period; if that is greater than the limit, then the connection is optionally logged then dropped; otherwise, the connection is accepted. Using per-IP limiting in the RATE/LIMIT column as shown above involves a token bucket (en.wikipedia.org/wiki/Token_bucket). If the source IP has a token, then the connection is allowed and the IP has one fewer tokens; otherwise, the connection is passed to the next applicable rule. See shorewall.net/configuration_file_basics.htm#RateLimit. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
Tom Eastep
2010-Apr-15 16:03 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
S. J. van Harmelen wrote:> Today I tried to put my Shorewall config in production, but had to undo it > really fast because I had connection problems. When trying to connect to our > website I noticed that it connected, but then wasn''t able to load the whole > page in one time. Now I understand how a webpage is loaded (each picture is > a separate call to the webserver) so I know it has something to do with the > limit action that I set... > > You already explained how the limit action works: > > "The Limit action works by keeping track of how many connections were > made in the last period" > > But I still have trouble understanding what you are saying here (sorry). In > the example of loading a webpage with a few pictures in it... Is every > request to the server counted as a new connection?I neither know nor do I care when Web browsers decide to open new connections to a server. I know that if I look at about:config in my Firefox (Iceweasel) browser, there is a max-connections-per-server setting that has the value 15. So I further assume that any limiting of connections to less than 15 in a short period of time would cause issues for my browser.> In that case I guess it''s > not really useful to set a limit action on a http rule, right? As then it''s > quite hard to set the correct limit number to enable normal browsing but > prevent DoS''ing...I think, as in all such things, you should start out with a conservative setting and go from there.> > I also read about the connlimit option. Should that be a better option in > this case? I take it that this option does indeed just count the total > numbers of concurrent TCP sessions from a specific IP address, the only > drawback is that the connection aren''t counted per rule but in total over > all rules, correct?That''s correct.> > Any pros and cons I miss? And the doc''s don''t say what happens when a new > session is started when then limit is reached? Will the w session be logged > and dropped?Like any netfilter rule, if the rule doesn''t match then the connection is passed on to the next rule. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
S. J. van Harmelen
2010-Apr-15 18:50 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
Ok... Thanks for the good info. Very much appreciated! After reading your comments I decided to use the RATE/LIMIT option (only available in version 4.4.8) instead, since it has the burst option which sounds really good in my case :) I do have one question about that... The doc''s say: "After each interval (15 seconds) that passes without a connection arriving, the burst count is incremented by 1 but is not allowed to exceed its initial setting". It says "without a connection arriving", but I assume that even if a connection arrives during the interval (which gets past along to the other rules and is not matched to the rule in question because the burst count is 0), then after the interval period the burst count in incremented? Or does the burst count only gets incremented when no new connection arrives at the rule for at least the duration of the interval period? Sander -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: donderdag 15 april 2010 18:03 To: Shorewall Users Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent DoS attackson a specific port S. J. van Harmelen wrote:> Today I tried to put my Shorewall config in production, but had to undo it > really fast because I had connection problems. When trying to connect toour> website I noticed that it connected, but then wasn''t able to load thewhole> page in one time. Now I understand how a webpage is loaded (each pictureis> a separate call to the webserver) so I know it has something to do withthe> limit action that I set... > > You already explained how the limit action works: > > "The Limit action works by keeping track of how many connections were > made in the last period" > > But I still have trouble understanding what you are saying here (sorry).In> the example of loading a webpage with a few pictures in it... Is every > request to the server counted as a new connection?I neither know nor do I care when Web browsers decide to open new connections to a server. I know that if I look at about:config in my Firefox (Iceweasel) browser, there is a max-connections-per-server setting that has the value 15. So I further assume that any limiting of connections to less than 15 in a short period of time would cause issues for my browser.> In that case I guess it''s > not really useful to set a limit action on a http rule, right? As thenit''s> quite hard to set the correct limit number to enable normal browsing but > prevent DoS''ing...I think, as in all such things, you should start out with a conservative setting and go from there.> > I also read about the connlimit option. Should that be a better option in > this case? I take it that this option does indeed just count the total > numbers of concurrent TCP sessions from a specific IP address, the only > drawback is that the connection aren''t counted per rule but in total over > all rules, correct?That''s correct.> > Any pros and cons I miss? And the doc''s don''t say what happens when a new > session is started when then limit is reached? Will the w session belogged> and dropped?Like any netfilter rule, if the rule doesn''t match then the connection is passed on to the next rule. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
Tom Eastep
2010-Apr-15 21:23 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
S. J. van Harmelen wrote:> It says "without a connection arriving", but I assume that even if a > connection arrives during the interval (which gets past along to the > other rules and is not matched to the rule in question because the > burst count is 0), then after the interval period the burst count in > incremented? Or does the burst count only gets incremented when no > new connection arrives at the rule for at least the duration of the > interval period?Yes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
S. J. van Harmelen
2010-Apr-16 07:43 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
Uuh... I understand that you''re a man of little words ;) But since your saying yes to two opposite explanations I still don''t know what explanation is the correct one? 1. It says "without a connection arriving", but I assume that even if a connection arrives during the interval (which then gets passed along to the other rules and is not matched to the rule in question because the burst count is 0), then after the interval period the burst count is incremented? 2. Or does the burst count only gets incremented when no new connections are even attempted for at least the duration of the interval period? So that means the interval will reset and starts ticking again every time a connection arrives (even if that connection is not allowed to pass through the rule) until it ticks away to complete interval time? So is explanation 1 true and/or is explanation 2 true? I assume only one of them can be true at the same time... Sander -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: donderdag 15 april 2010 23:24 To: Shorewall Users Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent DoS attackson a specific port S. J. van Harmelen wrote:> It says "without a connection arriving", but I assume that even if a > connection arrives during the interval (which gets past along to the > other rules and is not matched to the rule in question because the > burst count is 0), then after the interval period the burst count in > incremented? Or does the burst count only gets incremented when no > new connection arrives at the rule for at least the duration of the > interval period?Yes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
Tom Eastep
2010-Apr-16 13:17 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
S. J. van Harmelen wrote:> Uuh... I understand that you''re a man of little words ;) But since your > saying yes to two opposite explanations I still don''t know what explanation > is the correct one? > > 1. It says "without a connection arriving", but I assume that even if a > connection arrives during the interval (which then gets passed along to the > other rules and is not matched to the rule in question because the burst > count is 0), then after the interval period the burst count is incremented? > > 2. Or does the burst count only gets incremented when no new connections are > even attempted for at least the duration of the interval period? So that > means the interval will reset and starts ticking again every time a > connection arrives (even if that connection is not allowed to pass through > the rule) until it ticks away to complete interval time? >If a packet arrives, the count immediately goes back to zero and the packet is accepted. The point is that the only way for the burst count to increment over time is that the arrival rate must be less than the specified rate; there must be periods during which no packet arrives in order for the burst count to be restored to its maximum value. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev
S. J. van Harmelen
2010-Apr-16 13:38 UTC
Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port
Thanks Tom, all clear now! I just tweaked the numbers a bit and put the firewall in production and it seems to run great with the new settings! Thanks for all your time and patience... Sander -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: vrijdag 16 april 2010 15:17 To: Shorewall Users Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent DoS attackson a specific port S. J. van Harmelen wrote:> Uuh... I understand that you''re a man of little words ;) But since your > saying yes to two opposite explanations I still don''t know whatexplanation> is the correct one? > > 1. It says "without a connection arriving", but I assume that even if a > connection arrives during the interval (which then gets passed along tothe> other rules and is not matched to the rule in question because the burst > count is 0), then after the interval period the burst count isincremented?> > 2. Or does the burst count only gets incremented when no new connectionsare> even attempted for at least the duration of the interval period? So that > means the interval will reset and starts ticking again every time a > connection arrives (even if that connection is not allowed to pass through > the rule) until it ticks away to complete interval time? >If a packet arrives, the count immediately goes back to zero and the packet is accepted. The point is that the only way for the burst count to increment over time is that the arrival rate must be less than the specified rate; there must be periods during which no packet arrives in order for the burst count to be restored to its maximum value. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. p.sf.net/sfu/intel-sw-dev