Shorewall users - Apr 2010 - Using the limit action on a DNAT rule to prevent DoS attackson a specific port

Hi there.

 

I''m reading and reading through the doc''s and previous posts,
but cannot
seem to find what I''m looking for. I want to create a rule that
prevents DoS
and maybe even DDoS attacks against a specific port. The current rule looks
like this (the PORT''s and IP''s are dummies of course):

 

 

#ACTION           SOURCE          DEST               

HTTP(DNAT)     net                    loc:192.168.1.160 

 

Now how can I convert this rule so I can use the limit action? I assume the
following rule isn''t going to work correct because it misses the DNAT
action:

 

Limit:info:HTTPACCESS,3,60   net               loc:192.168.1.160
tcp         80

 

So how should I do this? Any help or pointers the some usefull doc''s
about
this topic are more then welcome!

 

Regards,

 

Sander



------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

S. J. van Harmelen wrote:
> I’m reading and reading through the doc’s and previous posts, but cannot
> seem to find what I’m looking for. I want to create a rule that prevents
> DoS and maybe even DDoS attacks against a specific port. The current
> rule looks like this (the PORT’s and IP’s are dummies of course):
> 
> #ACTION           SOURCE          DEST              
> HTTP(DNAT)        net             loc:192.168.1.160
> 
> Now how can I convert this rule so I can use the limit action? I assume
> the following rule isn’t going to work correct because it misses the
> DNAT action:
>
> Limit:info:HTTPACCESS,3,60     net  loc:192.168.1.160    tcp         80
> 
> So how should I do this? Any help or pointers the some usefull doc’s
> about this topic are more then welcome!
DNAT-     			net   loc:192.168.1.160	tcp	80
Limit:info:HTTPACCESS,3,60      net   loc:102.168.1.160 tcp     80

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Thanks for your quick response Tom! But just so do I understand correctly:

Can I just use both rules at the same time?
Does the 'DNAT-' mean something else than 'DNAT'?

I'm very glad you told me the solution, but of course I would even be more
happy if I understood the solution so next time I can figure it out myself...

Sander


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: maandag 12 april 2010 22:16
To: Shorewall Users
Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent
DoS attackson a specific port

S. J. van Harmelen wrote:
> I’m reading and reading through the doc’s and previous posts, but cannot
> seem to find what I’m looking for. I want to create a rule that prevents
> DoS and maybe even DDoS attacks against a specific port. The current
> rule looks like this (the PORT’s and IP’s are dummies of course):
> 
> #ACTION           SOURCE          DEST              
> HTTP(DNAT)        net             loc:192.168.1.160
> 
> Now how can I convert this rule so I can use the limit action? I assume
> the following rule isn’t going to work correct because it misses the
> DNAT action:
>
> Limit:info:HTTPACCESS,3,60     net  loc:192.168.1.160    tcp         80
> 
> So how should I do this? Any help or pointers the some usefull doc’s
> about this topic are more then welcome!
DNAT-     			net   loc:192.168.1.160	tcp	80
Limit:info:HTTPACCESS,3,60      net   loc:102.168.1.160 tcp     80

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

S. J. van Harmelen wrote:
> Thanks for your quick response Tom! But just so do I understand correctly:
> 
> Can I just use both rules at the same time?
> Does the ''DNAT-'' mean something else than
''DNAT''?
man shorewall-rules.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Cool, thanks! All clear now...

And yes, I should have looked it up in there myself before mailing back...

Cheers!


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: maandag 12 april 2010 22:54
To: Shorewall Users
Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to
prevent DoS attackson a specific port

S. J. van Harmelen wrote:
> Thanks for your quick response Tom! But just so do I understand correctly:
> 
> Can I just use both rules at the same time?
> Does the ''DNAT-'' mean something else than
''DNAT''?
man shorewall-rules.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

----------------------------------------------------------------------------
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Tom Eastep wrote:
> S. J. van Harmelen wrote:
>   
>> I’m reading and reading through the doc’s and previous posts, but
cannot
>> seem to find what I’m looking for. I want to create a rule that
prevents
>> DoS and maybe even DDoS attacks against a specific port. The current
>> rule looks like this (the PORT’s and IP’s are dummies of course):
>>
>> #ACTION           SOURCE          DEST              
>> HTTP(DNAT)        net             loc:192.168.1.160
>>
>> Now how can I convert this rule so I can use the limit action? I assume
>> the following rule isn’t going to work correct because it misses the
>> DNAT action:
>>
>> Limit:info:HTTPACCESS,3,60     net  loc:192.168.1.160    tcp         80
>>
>> So how should I do this? Any help or pointers the some usefull doc’s
>> about this topic are more then welcome!
>>     
>
> DNAT-     			net   loc:192.168.1.160	tcp	80
> Limit:info:HTTPACCESS,3,60      net   loc:102.168.1.160 tcp     80
>   
Good rule!

Im going to add it to my notes :).

Best regards.
> -Tom
>   



------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

When reading the 'man shorewall-rules' again I wonder if I can
accomplice the same behavior with this single rule:


#ACTION	SOURCE	DEST              	PROTO	DEST	SOURCE	ORIGINAL	RATE				USER/		MARK
#                                                   	PORT	PORT(S)	DEST		LIMIT			
GROUP
HTTP(DNAT)	net		loc:192.168.1.160		-	-	-       	-		s:HTTPACCESS:3/min:3


It looks to me if this has the same effect as the two rules given below (if I
understand the rules correctly). So could someone then tell me what the
difference is (if any) between the two ways to achieve this effect?

And one last question... Both limiting rules work by counting the current
connected TCP sessions right? So when you open a webpage on a webserver it sets
up one TCP session on port 80 for you and then your requests (for webpages and
pictures e.d.) to the webserver are all handled within that one connected TCP
session right? So when using the rate limit to limit 3 connections per minute I
can open 3 instances of firefox and they can all connect to the webserver and
browse there, but when opening the 4th instance of firefox, it connection
request will be dropped. But then after a minute (with the other 3 connections
still connected) I can connect the 4th instance also because the it's a new
minute and so 3 new connections can be made.

Is this how these rules work? And is this the same for the rule I added above
this text as the two rule I got from Tom? Or do they behave differently? Sorry
if it sounds dump, by I just want to really understand correctly how these rules
should be applied.

Sander


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: maandag 12 april 2010 22:16
To: Shorewall Users
Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent
DoS attackson a specific port

S. J. van Harmelen wrote:
> I’m reading and reading through the doc’s and previous posts, but cannot
> seem to find what I’m looking for. I want to create a rule that prevents
> DoS and maybe even DDoS attacks against a specific port. The current
> rule looks like this (the PORT’s and IP’s are dummies of course):
> 
> #ACTION           SOURCE          DEST              
> HTTP(DNAT)        net             loc:192.168.1.160
> 
> Now how can I convert this rule so I can use the limit action? I assume
> the following rule isn’t going to work correct because it misses the
> DNAT action:
>
> Limit:info:HTTPACCESS,3,60     net  loc:192.168.1.160    tcp         80
> 
> So how should I do this? Any help or pointers the some usefull doc’s
> about this topic are more then welcome!
DNAT-     			net   loc:192.168.1.160	tcp	80
Limit:info:HTTPACCESS,3,60      net   loc:102.168.1.160 tcp     80

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

S. J. van Harmelen wrote:
> When reading the ''man shorewall-rules'' again I wonder if
I can
> accomplice the same behavior with this single rule:
> 
> 
> #ACTION	SOURCE	DEST              	PROTO	DEST	SOURCE	ORIGINAL	RATE     
USER/		MARK
> 							PORT(S)	PORT(S)	DEST		LIMIT	  GROUP
>HTTP(DNAT)	net	loc:192.168.1.160	-	-	-	-		s:HTTPACCESS:3/min:3
> 
> 
> It looks to me if this has the same effect as the two rules given
> below (if I understand the rules correctly). So could someone then
> tell me what the difference is (if any) between the two ways to
> achieve this effect?
The above rule is broken in Shorewall releases prior to 4.4.8. So I
don''t recommend using it unless
> 
> And one last question... Both limiting rules work by counting the
> current connected TCP sessions right?
No.

The Limit action works by keeping track of how many connections were
made in the last period; if that is greater than the limit, then the
connection is optionally logged then dropped; otherwise, the connection
is accepted.

Using per-IP limiting in the RATE/LIMIT column as shown above involves a
token bucket (http://en.wikipedia.org/wiki/Token_bucket). If the source
IP has a token, then the connection is allowed and the IP has one fewer
tokens; otherwise, the connection is passed to the next applicable rule.
See http://www.shorewall.net/configuration_file_basics.htm#RateLimit.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Again thanks for your reply Tom! I use version 4.4.8 so then I can choose
which rule to use I suppose.

I think I understand the differences between the options now, but I''m
still
not sure what''s the best choice when using the rules as DoS/DDoS
prevention
(like in my earlier example). I think I''ll go with the Limit action
since
this rule drops traffic directly when the limit is reached opposed to using
the RATE/LIMIT column which allows the traffic be checked against all other
rules before it gets dropped when it hits the policy for the specific zones
(which is configured to log and drop).

Sander


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: dinsdag 13 april 2010 15:49
To: Shorewall Users
Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to
prevent DoS attackson a specific port

S. J. van Harmelen wrote:
> When reading the ''man shorewall-rules'' again I wonder if
I can
> accomplice the same behavior with this single rule:
> 
> 
> #ACTION	SOURCE	DEST              	PROTO	DEST	SOURCE
ORIGINAL	RATE      USER/		MARK
> 							PORT(S)	PORT(S)	DEST
LIMIT	  GROUP
>HTTP(DNAT)	net	loc:192.168.1.160	-	-	-	-
s:HTTPACCESS:3/min:3
> 
> 
> It looks to me if this has the same effect as the two rules given
> below (if I understand the rules correctly). So could someone then
> tell me what the difference is (if any) between the two ways to
> achieve this effect?
The above rule is broken in Shorewall releases prior to 4.4.8. So I
don''t recommend using it unless
> 
> And one last question... Both limiting rules work by counting the
> current connected TCP sessions right?
No.

The Limit action works by keeping track of how many connections were
made in the last period; if that is greater than the limit, then the
connection is optionally logged then dropped; otherwise, the connection
is accepted.

Using per-IP limiting in the RATE/LIMIT column as shown above involves a
token bucket (http://en.wikipedia.org/wiki/Token_bucket). If the source
IP has a token, then the connection is allowed and the IP has one fewer
tokens; otherwise, the connection is passed to the next applicable rule.
See http://www.shorewall.net/configuration_file_basics.htm#RateLimit.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

----------------------------------------------------------------------------
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

I understand this error is due to size limit of a zone name which by default
is set to 5, correct?  But I don''t understand from the doc''s
how to change
the limit to a higher number. My largest zone name is 12 characters...


In ''man shorewall-zones'' I read:

ZONE - zone[:parent-zone[,parent-zone]...]
Name of the zone. The names "all", "none",
"SOURCE" and "DEST" are reserved
and may not be used as zone names. The maximum length of a zone name is
determined by the setting of the LOGFORMAT option in shorewall.conf(5). With
the default LOGFORMAT, zone names can be at most 5 characters long.


And in ''man shorewall.conf'' I read:

LOGFORMAT=["formattemplate"]
The value of this variable generate the --log-prefix setting for Shorewall
logging rules. It contains a "printf" formatting template which
accepts
three arguments (the chain name, logging rule number (optional) and the
disposition). To use LOGFORMAT with fireparse, set it as:

    LOGFORMAT="fp=%s:%d a=%s "If the LOGFORMAT value contains the
substring
"%d" then the logging rule number is calculated and formatted in that
position; if that substring is not included then the rule number is not
included. If not supplied or supplied as empty (LOGFORMAT="") then
"Shorewall:%s:%s:" is assumed.


But after reading this I still have no clue on how o change the current
setting (LOGFORMAT="Shorewall:%s:%s:") to allow a 12 character zone
name...

Sander


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

S. J. van Harmelen wrote:
> 
> But after reading this I still have no clue on how o change the current
> setting (LOGFORMAT="Shorewall:%s:%s:") to allow a 12 character
zone name...
The shortest usable LOGFORMAT is LOGFORMAT="%s:%s:".

-Tom

PS -- Some people think that LOGFORMAT is LOGFORMAT="%s %s " is easier
to read.
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Reading your comment and reading ''man shorewall-zones'' again,
I now
understand how it works...

Thanks!

Oh, and did I say already that Shorewall is really an outstanding piece of
work!!

Cheers...


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: woensdag 14 april 2010 16:05
To: Shorewall Users
Subject: Re: [Shorewall-users] ERROR: Invalid zone name (mgt_ilom) :
/etc/shorewall/zones (line 19)

S. J. van Harmelen wrote:
> 
> But after reading this I still have no clue on how o change the current
> setting (LOGFORMAT="Shorewall:%s:%s:") to allow a 12 character
zone
name...

The shortest usable LOGFORMAT is LOGFORMAT="%s:%s:".

-Tom

PS -- Some people think that LOGFORMAT is LOGFORMAT="%s %s " is easier
to read.
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

----------------------------------------------------------------------------
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

When I try you rules:

DNAT-     			net   loc:192.168.1.160	tcp	80
Limit:info:HTTPACCESS,3,60      net   loc:102.168.1.160 tcp     80

I receive this warning when doing 'shorewall check':

WARNING: The destination zone (loc) is ignored in DNAT rules :
/etc/shorewall/rules (line 34)

I understand that it is just a warning, but should I change anything to get rid
of the warning? Or is this the only way and should I just ignore the warning?

Sander


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: maandag 12 april 2010 22:16
To: Shorewall Users
Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent
DoS attackson a specific port

S. J. van Harmelen wrote:
> I’m reading and reading through the doc’s and previous posts, but cannot
> seem to find what I’m looking for. I want to create a rule that prevents
> DoS and maybe even DDoS attacks against a specific port. The current
> rule looks like this (the PORT’s and IP’s are dummies of course):
> 
> #ACTION           SOURCE          DEST              
> HTTP(DNAT)        net             loc:192.168.1.160
> 
> Now how can I convert this rule so I can use the limit action? I assume
> the following rule isn’t going to work correct because it misses the
> DNAT action:
>
> Limit:info:HTTPACCESS,3,60     net  loc:192.168.1.160    tcp         80
> 
> So how should I do this? Any help or pointers the some usefull doc’s
> about this topic are more then welcome!
DNAT-     			net   loc:192.168.1.160	tcp	80
Limit:info:HTTPACCESS,3,60      net   loc:102.168.1.160 tcp     80

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

S. J. van Harmelen wrote:
> When I try you rules:
> 
> DNAT-     			net   loc:192.168.1.160	tcp	80 
> Limit:info:HTTPACCESS,3,60      net   loc:102.168.1.160 tcp     80
> 
> I receive this warning when doing ''shorewall check'':
> 
> WARNING: The destination zone (loc) is ignored in DNAT rules :
> /etc/shorewall/rules (line 34)
> 
> I understand that it is just a warning, but should I change anything
> to get rid of the warning? Or is this the only way and should I just
> ignore the warning?
I gave you those rules before you had mentioned what version of
Shorewall you were running. Replace ''net'' with
''-'' in the first rule.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

You''re absolutely right about me not telling you what version I used...
 
So I tried to substitute ''net'' with ''-'' but
then I received this error:

=> ERROR: Missing source zone : /etc/shorewall/rules (line 34)

When I substitute ''loc:192.168.1.160'' with
''-'' I get the error:

=> ERROR: Unknown Host (0.0.0.0/0) : /etc/shorewall/rules (line 34)

But when I only substitute ''loc'' with ''-'' it
works without any warnings :)
So now I use:

=> DNAT-     					net   -:192.168.1.160
tcp	80 
=> Limit:info:HTTPACCESS,3,60			net   loc:102.168.1.160
tcp	80

Sander


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: woensdag 14 april 2010 21:31
To: Shorewall Users
Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to
prevent DoS attackson a specific port

S. J. van Harmelen wrote:
> When I try you rules:
> 
> DNAT-     			net   loc:192.168.1.160	tcp	80 
> Limit:info:HTTPACCESS,3,60      net   loc:102.168.1.160 tcp     80
> 
> I receive this warning when doing ''shorewall check'':
> 
> WARNING: The destination zone (loc) is ignored in DNAT rules :
> /etc/shorewall/rules (line 34)
> 
> I understand that it is just a warning, but should I change anything
> to get rid of the warning? Or is this the only way and should I just
> ignore the warning?
I gave you those rules before you had mentioned what version of
Shorewall you were running. Replace ''net'' with
''-'' in the first rule.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

----------------------------------------------------------------------------
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Hi again...

Today I tried to put my Shorewall config in production, but had to undo it
really fast because I had connection problems. When trying to connect to our
website I noticed that it connected, but then wasn''t able to load the
whole
page in one time. Now I understand how a webpage is loaded (each picture is
a separate call to the webserver) so I know it has something to do with the
limit action that I set...

You already explained how the limit action works:

"The Limit action works by keeping track of how many connections were
made in the last period"

But I still have trouble understanding what you are saying here (sorry). In
the example of loading a webpage with a few pictures in it... Is every
request to the server counted as a new connection? In that case I guess
it''s
not really useful to set a limit action on a http rule, right? As then
it''s
quite hard to set the correct limit number to enable normal browsing but
prevent DoS''ing...

I also read about the connlimit option. Should that be a better option in
this case? I take it that this option does indeed just count the total
numbers of concurrent TCP sessions from a specific IP address, the only
drawback is that the connection aren''t counted per rule but in total
over
all rules, correct?

Any pros and cons I miss? And the doc''s don''t say what happens
when a new
session is started when then limit is reached? Will the w session be logged
and dropped?

Sander
 


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: dinsdag 13 april 2010 15:49
To: Shorewall Users
Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to
prevent DoS attackson a specific port

S. J. van Harmelen wrote:
> When reading the ''man shorewall-rules'' again I wonder if
I can
> accomplice the same behavior with this single rule:
> 
> 
> #ACTION	SOURCE	DEST              	PROTO	DEST	SOURCE
ORIGINAL	RATE      USER/		MARK
> 							PORT(S)	PORT(S)	DEST
LIMIT	  GROUP
>HTTP(DNAT)	net	loc:192.168.1.160	-	-	-	-
s:HTTPACCESS:3/min:3
> 
> 
> It looks to me if this has the same effect as the two rules given
> below (if I understand the rules correctly). So could someone then
> tell me what the difference is (if any) between the two ways to
> achieve this effect?
The above rule is broken in Shorewall releases prior to 4.4.8. So I
don''t recommend using it unless
> 
> And one last question... Both limiting rules work by counting the
> current connected TCP sessions right?
No.

The Limit action works by keeping track of how many connections were
made in the last period; if that is greater than the limit, then the
connection is optionally logged then dropped; otherwise, the connection
is accepted.

Using per-IP limiting in the RATE/LIMIT column as shown above involves a
token bucket (http://en.wikipedia.org/wiki/Token_bucket). If the source
IP has a token, then the connection is allowed and the IP has one fewer
tokens; otherwise, the connection is passed to the next applicable rule.
See http://www.shorewall.net/configuration_file_basics.htm#RateLimit.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

----------------------------------------------------------------------------
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

S. J. van Harmelen wrote:
> Today I tried to put my Shorewall config in production, but had to undo it
> really fast because I had connection problems. When trying to connect to
our
> website I noticed that it connected, but then wasn''t able to load
the whole
> page in one time. Now I understand how a webpage is loaded (each picture is
> a separate call to the webserver) so I know it has something to do with the
> limit action that I set...
> 
> You already explained how the limit action works:
> 
> "The Limit action works by keeping track of how many connections were
> made in the last period"
> 
> But I still have trouble understanding what you are saying here (sorry). In
> the example of loading a webpage with a few pictures in it... Is every
> request to the server counted as a new connection?
I neither know nor do I care when Web browsers decide to open new
connections to a server. I know that if I look at about:config in my
Firefox (Iceweasel) browser, there is a max-connections-per-server
setting that has the value 15. So I further assume that any limiting of
connections to less than 15 in a short period of time would cause issues
for my browser.
> In that case I guess it''s
> not really useful to set a limit action on a http rule, right? As then
it''s
> quite hard to set the correct limit number to enable normal browsing but
> prevent DoS''ing...
I think, as in all such things, you should start out with a conservative
setting and go from there.
> 
> I also read about the connlimit option. Should that be a better option in
> this case? I take it that this option does indeed just count the total
> numbers of concurrent TCP sessions from a specific IP address, the only
> drawback is that the connection aren''t counted per rule but in
total over
> all rules, correct?
That''s correct.
> 
> Any pros and cons I miss? And the doc''s don''t say what
happens when a new
> session is started when then limit is reached? Will the w session be logged
> and dropped?
Like any netfilter rule, if the rule doesn''t match then the connection
is passed on to the next rule.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Ok... Thanks for the good info. Very much appreciated! 

After reading your comments I decided to use the RATE/LIMIT option (only
available in version 4.4.8) instead, since it has the burst option which
sounds really good in my case :)

I do have one question about that... The doc''s say: "After each
interval (15
seconds) that passes without a connection arriving, the burst count is
incremented by 1 but is not allowed to exceed its initial setting".

It says "without a connection arriving", but I assume that even if a
connection arrives during the interval (which gets past along to the other
rules and is not matched to the rule in question because the burst count is
0), then after the interval period the burst count in incremented? Or does
the burst count only gets incremented when no new connection arrives at the
rule for at least the duration of the interval period?

Sander
 

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: donderdag 15 april 2010 18:03
To: Shorewall Users
Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to
prevent DoS attackson a specific port

S. J. van Harmelen wrote:
> Today I tried to put my Shorewall config in production, but had to undo it
> really fast because I had connection problems. When trying to connect to
our
> website I noticed that it connected, but then wasn''t able to load
the
whole
> page in one time. Now I understand how a webpage is loaded (each picture
is
> a separate call to the webserver) so I know it has something to do with
the
> limit action that I set...
> 
> You already explained how the limit action works:
> 
> "The Limit action works by keeping track of how many connections were
> made in the last period"
> 
> But I still have trouble understanding what you are saying here (sorry).
In
> the example of loading a webpage with a few pictures in it... Is every
> request to the server counted as a new connection?
I neither know nor do I care when Web browsers decide to open new
connections to a server. I know that if I look at about:config in my
Firefox (Iceweasel) browser, there is a max-connections-per-server
setting that has the value 15. So I further assume that any limiting of
connections to less than 15 in a short period of time would cause issues
for my browser.
> In that case I guess it''s
> not really useful to set a limit action on a http rule, right? As then
it''s
> quite hard to set the correct limit number to enable normal browsing but
> prevent DoS''ing...
I think, as in all such things, you should start out with a conservative
setting and go from there.
> 
> I also read about the connlimit option. Should that be a better option in
> this case? I take it that this option does indeed just count the total
> numbers of concurrent TCP sessions from a specific IP address, the only
> drawback is that the connection aren''t counted per rule but in
total over
> all rules, correct?
That''s correct.
> 
> Any pros and cons I miss? And the doc''s don''t say what
happens when a new
> session is started when then limit is reached? Will the w session be
logged
> and dropped?
Like any netfilter rule, if the rule doesn''t match then the connection
is passed on to the next rule.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

----------------------------------------------------------------------------
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

S. J. van Harmelen wrote:
> It says "without a connection arriving", but I assume that even
if a
> connection arrives during the interval (which gets past along to the
> other rules and is not matched to the rule in question because the
> burst count is 0), then after the interval period the burst count in
> incremented? Or does the burst count only gets incremented when no
> new connection arrives at the rule for at least the duration of the
> interval period?
Yes.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Uuh... I understand that you''re a man of little words ;) But since your
saying yes to two opposite explanations I still don''t know what
explanation
is the correct one?

1. It says "without a connection arriving", but I assume that even if
a
connection arrives during the interval (which then gets passed along to the
other rules and is not matched to the rule in question because the burst
count is 0), then after the interval period the burst count is incremented?

2. Or does the burst count only gets incremented when no new connections are
even attempted for at least the duration of the interval period? So that
means the interval will reset and starts ticking again every time a
connection arrives (even if that connection is not allowed to pass through
the rule) until it ticks away to complete interval time?

So is explanation 1 true and/or is explanation 2 true? I assume only one of
them can be true at the same time...

Sander


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: donderdag 15 april 2010 23:24
To: Shorewall Users
Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to
prevent DoS attackson a specific port

S. J. van Harmelen wrote:
> It says "without a connection arriving", but I assume that even
if a
> connection arrives during the interval (which gets past along to the
> other rules and is not matched to the rule in question because the
> burst count is 0), then after the interval period the burst count in
> incremented? Or does the burst count only gets incremented when no
> new connection arrives at the rule for at least the duration of the
> interval period?
Yes.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

----------------------------------------------------------------------------
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

S. J. van Harmelen wrote:
> Uuh... I understand that you''re a man of little words ;) But since
your
> saying yes to two opposite explanations I still don''t know what
explanation
> is the correct one?
> 
> 1. It says "without a connection arriving", but I assume that
even if a
> connection arrives during the interval (which then gets passed along to the
> other rules and is not matched to the rule in question because the burst
> count is 0), then after the interval period the burst count is incremented?
> 
> 2. Or does the burst count only gets incremented when no new connections
are
> even attempted for at least the duration of the interval period? So that
> means the interval will reset and starts ticking again every time a
> connection arrives (even if that connection is not allowed to pass through
> the rule) until it ticks away to complete interval time?
> 
If a packet arrives, the count immediately goes back to zero and the
packet is accepted. The point is that the only way for the burst count
to increment over time is that the arrival rate must be less than the
specified rate; there must be periods during which no packet arrives in
order for the burst count to be restored to its maximum value.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Thanks Tom, all clear now!

I just tweaked the numbers a bit and put the firewall in production and it
seems to run great with the new settings!

Thanks for all your time and patience...

Sander


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: vrijdag 16 april 2010 15:17
To: Shorewall Users
Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to
prevent DoS attackson a specific port

S. J. van Harmelen wrote:
> Uuh... I understand that you''re a man of little words ;) But since
your
> saying yes to two opposite explanations I still don''t know what
explanation
> is the correct one?
> 
> 1. It says "without a connection arriving", but I assume that
even if a
> connection arrives during the interval (which then gets passed along to
the
> other rules and is not matched to the rule in question because the burst
> count is 0), then after the interval period the burst count is
incremented?
> 
> 2. Or does the burst count only gets incremented when no new connections
are
> even attempted for at least the duration of the interval period? So that
> means the interval will reset and starts ticking again every time a
> connection arrives (even if that connection is not allowed to pass through
> the rule) until it ticks away to complete interval time?
> 
If a packet arrives, the count immediately goes back to zero and the
packet is accepted. The point is that the only way for the burst count
to increment over time is that the arrival rate must be less than the
specified rate; there must be periods during which no packet arrives in
order for the burst count to be restored to its maximum value.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

----------------------------------------------------------------------------
--
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev