Hello, I have a question about rate-limit. When i putt this rule, I expect to be able to ping 5 times from outside(internet) to my firewall whitin 20 min. after those 5 pings, I would be waiting 20 min before I can ping five times again. ACCEPT net $FW icmp 0 - - d:ping:5/min:20 ACCEPT net $FW icmp 8 - - d:ping:5/min:20 ACCEPT $FW net icmp When testing this rule from the internet, I get no rate limit. I can ping hundred times with no stopping. I must say that I''m connected on the server ssh port, when doing the test. Does Shorewall see this as connection related? I''m confused, do I misunderstand the working of rate/limit? Is this the same as this example with iptables? iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \ --set iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \ --update --seconds 600 --hitcount 2 -j DROP I''m using Shorewall 4.10.2 on Debian Sincerely, Selvam Matthys ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/12/10 8:55 PM, Selvam Matthys wrote:> Hello, > > I have a question about rate-limit. > When i putt this rule, I expect to be able to ping 5 times from > outside(internet) to my firewall whitin 20 min. after those 5 pings, I > would be waiting 20 min before I can ping five times again.No -- if you ping continuously, you will get 20 responses and then you won''t get another response for 12 seconds (60/5) and every 12 seconds after that.> > ACCEPT net $FW icmp 0 - - d:ping:5/min:20 > ACCEPT net $FW icmp 8 - - d:ping:5/min:20The first rule is silly -- it will never be hit.> ACCEPT $FW net icmp > > When testing this rule from the internet, I get no rate limit. I can > ping hundred times with no stopping. > I must say that I''m connected on the server ssh port, when doing the > test. Does Shorewall see this as connection related? > I''m confused, do I misunderstand the working of rate/limit? Is this the > same as this example with iptables? > > iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \ > --set > > iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \ > --update --seconds 600 --hitcount 2 -j DROP >It does not do that. You can ''shorewall trace check | grep hashlimit'' to see what gets generated.> > > I''m using Shorewall 4.10.2 on Debian >I assume that you meant 4.4.10.2. It works for me. I changed this rule: Ping(ACCEPT) loc fw to Ping(ACCEPT) loc fw - - - - d:5/min:20 I then ping from a local host: maclan:~ teastep$ ping gateway PING gateway.shorewall.net (70.90.191.121): 56 data bytes 64 bytes from 70.90.191.121: icmp_seq=0 ttl=64 time=0.192 ms 64 bytes from 70.90.191.121: icmp_seq=1 ttl=64 time=0.328 ms 64 bytes from 70.90.191.121: icmp_seq=2 ttl=64 time=0.344 ms 64 bytes from 70.90.191.121: icmp_seq=3 ttl=64 time=0.334 ms 64 bytes from 70.90.191.121: icmp_seq=4 ttl=64 time=0.340 ms 64 bytes from 70.90.191.121: icmp_seq=5 ttl=64 time=0.330 ms 64 bytes from 70.90.191.121: icmp_seq=6 ttl=64 time=0.338 ms 64 bytes from 70.90.191.121: icmp_seq=7 ttl=64 time=0.315 ms 64 bytes from 70.90.191.121: icmp_seq=8 ttl=64 time=0.328 ms 64 bytes from 70.90.191.121: icmp_seq=9 ttl=64 time=0.324 ms 64 bytes from 70.90.191.121: icmp_seq=10 ttl=64 time=0.325 ms 64 bytes from 70.90.191.121: icmp_seq=11 ttl=64 time=0.267 ms 64 bytes from 70.90.191.121: icmp_seq=12 ttl=64 time=0.359 ms 64 bytes from 70.90.191.121: icmp_seq=13 ttl=64 time=0.328 ms 64 bytes from 70.90.191.121: icmp_seq=14 ttl=64 time=0.319 ms 64 bytes from 70.90.191.121: icmp_seq=15 ttl=64 time=0.327 ms 64 bytes from 70.90.191.121: icmp_seq=16 ttl=64 time=0.325 ms 64 bytes from 70.90.191.121: icmp_seq=17 ttl=64 time=0.329 ms 64 bytes from 70.90.191.121: icmp_seq=18 ttl=64 time=0.336 ms 64 bytes from 70.90.191.121: icmp_seq=19 ttl=64 time=0.326 ms 64 bytes from 70.90.191.121: icmp_seq=20 ttl=64 time=0.326 ms 92 bytes from gateway.shorewall.net (70.90.191.121): Destination Host Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 3afe 0 0000 40 01 8c31 172.20.1.146 70.90.191.121 Request timeout for icmp_seq 21 92 bytes from gateway.shorewall.net (70.90.191.121): Destination Host Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 e8ef 0 0000 40 01 de3f 172.20.1.146 70.90.191.121 What other net->fw rules do you have? What is the net->fw policy? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
I did read some of the documentation on the Shorewall ConnectionRate site this afternoon and saw indeed what 5/min:20 means. My rules are almost like the original shorewall-two-interfaces sample. I replaced my icmp rules with the same as yours. butt still no success. I looked on shorewall.net/Actions.html#Limit. and was wondering what the deference is between the action/limit and the rate/limit. Sincerely, Selvam here my rules, # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping(ACCEPT) net fw:188.165.193.63 - - - - d:5/min:20 # Permit all ICMP traffic FROM the firewall TO the net zone ACCEPT $FW net icmp - - - d:5/min:20 ACCEPT net fw:188.165.193.63 tcp 272 - - s:ssh:3/min:5 ACCEPT lan fw:10.10.10.254 tcp 272 ################################################################################ #####DNAT RULES!!############################################################### ################################################################################ DNAT net lan:10.10.10.103:3389 tcp 103 - 188.165.193.63 6/min:5 #DNAT net lan:10.10.10.102:22 tcp 102 - 188.165.193.63 6/min:5 My policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT $FW lan ACCEPT lan net ACCEPT lan lan ACCEPT net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info 2010/7/13 Tom Eastep <teastep@shorewall.net>> On 7/12/10 8:55 PM, Selvam Matthys wrote: > > Hello, > > > > I have a question about rate-limit. > > When i putt this rule, I expect to be able to ping 5 times from > > outside(internet) to my firewall whitin 20 min. after those 5 pings, I > > would be waiting 20 min before I can ping five times again. > > No -- if you ping continuously, you will get 20 responses and then you > won''t get another response for 12 seconds (60/5) and every 12 seconds > after that. > > > > > ACCEPT net $FW icmp 0 - - d:ping:5/min:20 > > ACCEPT net $FW icmp 8 - - d:ping:5/min:20 > > The first rule is silly -- it will never be hit. > > > ACCEPT $FW net icmp > > > > When testing this rule from the internet, I get no rate limit. I can > > ping hundred times with no stopping. > > I must say that I''m connected on the server ssh port, when doing the > > test. Does Shorewall see this as connection related? > > I''m confused, do I misunderstand the working of rate/limit? Is this the > > same as this example with iptables? > > > > iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m > recent \ > > --set > > > > iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m > recent \ > > --update --seconds 600 --hitcount 2 -j DROP > > > > It does not do that. You can ''shorewall trace check | grep hashlimit'' to > see what gets generated. > > > > > > > I''m using Shorewall 4.10.2 on Debian > > > > I assume that you meant 4.4.10.2. > > It works for me. I changed this rule: > > Ping(ACCEPT) loc fw > > to > > Ping(ACCEPT) loc fw - - - - d:5/min:20 > > I then ping from a local host: > > maclan:~ teastep$ ping gateway > PING gateway.shorewall.net (70.90.191.121): 56 data bytes > 64 bytes from 70.90.191.121: icmp_seq=0 ttl=64 time=0.192 ms > 64 bytes from 70.90.191.121: icmp_seq=1 ttl=64 time=0.328 ms > 64 bytes from 70.90.191.121: icmp_seq=2 ttl=64 time=0.344 ms > 64 bytes from 70.90.191.121: icmp_seq=3 ttl=64 time=0.334 ms > 64 bytes from 70.90.191.121: icmp_seq=4 ttl=64 time=0.340 ms > 64 bytes from 70.90.191.121: icmp_seq=5 ttl=64 time=0.330 ms > 64 bytes from 70.90.191.121: icmp_seq=6 ttl=64 time=0.338 ms > 64 bytes from 70.90.191.121: icmp_seq=7 ttl=64 time=0.315 ms > 64 bytes from 70.90.191.121: icmp_seq=8 ttl=64 time=0.328 ms > 64 bytes from 70.90.191.121: icmp_seq=9 ttl=64 time=0.324 ms > 64 bytes from 70.90.191.121: icmp_seq=10 ttl=64 time=0.325 ms > 64 bytes from 70.90.191.121: icmp_seq=11 ttl=64 time=0.267 ms > 64 bytes from 70.90.191.121: icmp_seq=12 ttl=64 time=0.359 ms > 64 bytes from 70.90.191.121: icmp_seq=13 ttl=64 time=0.328 ms > 64 bytes from 70.90.191.121: icmp_seq=14 ttl=64 time=0.319 ms > 64 bytes from 70.90.191.121: icmp_seq=15 ttl=64 time=0.327 ms > 64 bytes from 70.90.191.121: icmp_seq=16 ttl=64 time=0.325 ms > 64 bytes from 70.90.191.121: icmp_seq=17 ttl=64 time=0.329 ms > 64 bytes from 70.90.191.121: icmp_seq=18 ttl=64 time=0.336 ms > 64 bytes from 70.90.191.121: icmp_seq=19 ttl=64 time=0.326 ms > 64 bytes from 70.90.191.121: icmp_seq=20 ttl=64 time=0.326 ms > 92 bytes from gateway.shorewall.net (70.90.191.121): Destination Host > Unreachable > Vr HL TOS Len ID Flg off TTL Pro cks Src Dst > 4 5 00 5400 3afe 0 0000 40 01 8c31 172.20.1.146 70.90.191.121 > > Request timeout for icmp_seq 21 > 92 bytes from gateway.shorewall.net (70.90.191.121): Destination Host > Unreachable > Vr HL TOS Len ID Flg off TTL Pro cks Src Dst > 4 5 00 5400 e8ef 0 0000 40 01 de3f 172.20.1.146 70.90.191.121 > > What other net->fw rules do you have? What is the net->fw policy? > > -Tom > > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/13/10 8:20 AM, Selvam Matthys wrote:> I did read some of the documentation on the Shorewall ConnectionRate > site this afternoon and saw indeed what 5/min:20 means. > My rules are almost like the original shorewall-two-interfaces sample. > I replaced my icmp rules with the same as yours. butt still no success. > I looked on shorewall.net/Actions.html#Limit > <http://shorewall.net/Actions.html#Limit>. and was wondering what the > deference is between the action/limit and the rate/limit.They are totally different. See http://ipv6.shorewall.net/configuration_file_basics.htm#RateLimit. In particular, rate/limit does not reject or drop connections in excess of the limit; rather, the connection is passed to the next rule.> here my rules,Since it works for me and doesn''t work for you, I don''t want to see your configuration; I want to see what is actually configured on your system. The way that you can show me that is to send me the output of ''shorewall dump'' as an attachment. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
My message was blocked because the attachment was to big, so here in compressed form. Sincerely, Selvam Matthys 2010/7/14 Selvam Matthys <selvam.matthys@gmail.com>> as requested my shorewall dump. > > Sincerely, > Selvam > > 2010/7/13 Tom Eastep <teastep@shorewall.net> > >> On 7/13/10 8:20 AM, Selvam Matthys wrote: >> >> > I did read some of the documentation on the Shorewall ConnectionRate >> > site this afternoon and saw indeed what 5/min:20 means. >> > My rules are almost like the original shorewall-two-interfaces sample. >> > I replaced my icmp rules with the same as yours. butt still no success. >> > I looked on shorewall.net/Actions.html#Limit >> > <http://shorewall.net/Actions.html#Limit>. and was wondering what the >> > deference is between the action/limit and the rate/limit. >> >> They are totally different. See >> http://ipv6.shorewall.net/configuration_file_basics.htm#RateLimit. In >> particular, rate/limit does not reject or drop connections in excess of >> the limit; rather, the connection is passed to the next rule. >> >> > here my rules, >> >> Since it works for me and doesn''t work for you, I don''t want to see your >> configuration; I want to see what is actually configured on your system. >> The way that you can show me that is to send me the output of ''shorewall >> dump'' as an attachment. >> >> Thanks, >> -Tom >> -- >> Tom Eastep \ When I die, I want to go like my Grandfather who >> Shoreline, \ died peacefully in his sleep. Not screaming like >> Washington, USA \ all of the passengers in his car >> http://shorewall.net \________________________________________________ >> >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Sprint >> What will you do first with EVO, the first 4G phone? >> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Hi, Here my third attempt to send you my Shorewall dump. Sincerely, Selvam Matthys ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/14/10 8:24 PM, Selvam Matthys wrote:> Hi, > > Here my third attempt to send you my Shorewall dump.From the dump:> Linux version 2.6.32-5-openvz-amd64 (Debian 2.6.32-17) > (ben@decadent.org.uk) (gcc version 4.3.5 (Debian 4.3.5-1) ) #1 SMP > Sun Jul 11 02:26:20 UTC 2010I have found this kernel to be so broken in the Netfilter area that it has convinced me to abandon OpenVZ on Debian. I''ve switched to Linux-vserver. My testing was conducted using the Lenny Vserver Kernel. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Thanks, for your time. you think its a security risk to run my server with this kernel with iptables? Or is it just some features that don''t work, like the rate/limit. For me a security risk is when I have a DROP or a REJECT rule, it still accept the connection. So if I accept ping or ssh, then I can live with the fact rate/ limit wont work with it. The only concern is when my rule is DROP or REJECT then I really want it to drop and or reject the traffic! Sincerely, Selvam 2010/7/14 Tom Eastep <teastep@shorewall.net>> On 7/14/10 8:24 PM, Selvam Matthys wrote: > > Hi, > > > > Here my third attempt to send you my Shorewall dump. > > From the dump: > > > Linux version 2.6.32-5-openvz-amd64 (Debian 2.6.32-17) > > (ben@decadent.org.uk) (gcc version 4.3.5 (Debian 4.3.5-1) ) #1 SMP > > Sun Jul 11 02:26:20 UTC 2010 > > I have found this kernel to be so broken in the Netfilter area that it > has convinced me to abandon OpenVZ on Debian. I''ve switched to > Linux-vserver. My testing was conducted using the Lenny Vserver Kernel. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/14/10 9:13 PM, Selvam Matthys wrote:> Thanks, for your time. > > you think its a security risk to run my server with this kernel with > iptables? Or is it just some features that don''t work, like the > rate/limit. For me a security risk is when I have a DROP or a REJECT > rule, it still accept the connection. > So if I accept ping or ssh, then I can live with the fact rate/ limit > wont work with it. The only concern is when my rule is DROP or REJECT > then I really want it to drop and or reject the traffic!I haven''t found any security issues with this kernel; just things that don''t work. For example, you can''t even load the main ipv6 netfilter module. That having been said, I haven''t really looked for security issues. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first