Hi list, I recently configured Shorewall 4.5.0.3 on a Debian 6 (Linux 2.6.32-5-686). I successfuly configured everything for a two interface firewall but all DNAT rules I have are ignoring the rate-limit option. For example, I have this rule: DNAT net loc:192.168.2.2:8090 tcp 80 - - s:adw:1/min:2 I put it this way for testing and its doing DNAT ok but it accepts every connection attempt in any rate. I just want to rate limit by source IP. I read the manual, faqs, troubleshooting, goole, etc. but no clue on what''s happening. I''m unable to rate-limit DNAT rules. Maybe I made a silly mistake but I have no clue... My policy file ends with REJECT all all and there is no ACCEPT net loc so that theoretically if the rule rate-limited do not match the packet should be droped... Please, any idea on how Im doing wrong?? Thanks in advance. Regards. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 4/29/12 3:05 PM, Pau Beltrán wrote:> Hi list, > > I recently configured Shorewall 4.5.0.3 on a Debian 6 (Linux 2.6.32-5-686). > > I successfuly configured everything for a two interface firewall but all > DNAT rules I have are ignoring the rate-limit option. > > For example, I have this rule: > DNATnetloc:192.168.2.2:8090 <http://192.168.2.2:8090>tcp80--s:adw:1/min:2 > > I put it this way for testing and its doing DNAT ok but it accepts every > connection attempt in any rate. I just want to rate limit by source IP. > I read the manual, faqs, troubleshooting, goole, etc. but no clue on > what''s happening. I''m unable to rate-limit DNAT rules. Maybe I made a > silly mistake but I have no clue... > > My policy file ends with REJECT all all and there is no ACCEPT net loc > so that theoretically if the rule rate-limited do not match the packet > should be droped... > > Please, any idea on how Im doing wrong??No -- we need to see the output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Thank you Tom for the reply. Here you have my shorewall dump. If it helps: - First I tried this configuration with Shorewall 4.4.11.6 and then I upgraded to 4.5.0.3 looking to solve this problem. - I''m testing from another subnet outside the firewall, acting as "net" zone (192.168.1.0/24) I guess that will not be a problem. - I''m sure its bypassing the rate-limit I set because "shorewall hits" reports no hit with high rate connection tries. Thanks! Regards. On 4/29/12 3:05 PM, Pau Beltrán wrote:> Hi list, > > I recently configured Shorewall 4.5.0.3 on a Debian 6 (Linux 2.6.32-5-686). > > I successfuly configured everything for a two interface firewall but all > DNAT rules I have are ignoring the rate-limit option. > > For example, I have this rule: > DNATnetloc:192.168.2.2:8090 <http://192.168.2.2:8090>tcp80--s:adw:1/min:2 > > I put it this way for testing and its doing DNAT ok but it accepts every > connection attempt in any rate. I just want to rate limit by source IP. > I read the manual, faqs, troubleshooting, goole, etc. but no clue on > what''s happening. I''m unable to rate-limit DNAT rules. Maybe I made a > silly mistake but I have no clue... > > My policy file ends with REJECT all all and there is no ACCEPT net loc > so that theoretically if the rule rate-limited do not match the packet > should be droped... > > Please, any idea on how Im doing wrong??No -- we need to see the output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines -Tom -- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 04/30/2012 08:10 AM, Pau Beltrán wrote:> Thank you Tom for the reply. > Here you have my shorewall dump. > > If it helps: > - First I tried this configuration with Shorewall 4.4.11.6 and then I > upgraded to 4.5.0.3 looking to solve this problem. > - I''m testing from another subnet outside the firewall, acting as > "net" zone (192.168.1.0/24) I guess that will not be a problem. > - I''m sure its bypassing the rate-limit I set because "shorewall hits" > reports no hit with high rate connection tries.And this high connection rate is from a single IP address, correct? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Yes, it is from the same IP (192.168.2.4). 2012/4/30 Tom Eastep <teastep@shorewall.net>:> On 04/30/2012 08:10 AM, Pau Beltrán wrote: >> Thank you Tom for the reply. >> Here you have my shorewall dump. >> >> If it helps: >> - First I tried this configuration with Shorewall 4.4.11.6 and then I >> upgraded to 4.5.0.3 looking to solve this problem. >> - I''m testing from another subnet outside the firewall, acting as >> "net" zone (192.168.1.0/24) I guess that will not be a problem. >> - I''m sure its bypassing the rate-limit I set because "shorewall hits" >> reports no hit with high rate connection tries. > > And this high connection rate is from a single IP address, correct? > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Sorry, from the IP 192.168.1.4 2012/4/30 Pau Beltrán <spekdrum@gmail.com>:> Yes, it is from the same IP (192.168.2.4). > > 2012/4/30 Tom Eastep <teastep@shorewall.net>: >> On 04/30/2012 08:10 AM, Pau Beltrán wrote: >>> Thank you Tom for the reply. >>> Here you have my shorewall dump. >>> >>> If it helps: >>> - First I tried this configuration with Shorewall 4.4.11.6 and then I >>> upgraded to 4.5.0.3 looking to solve this problem. >>> - I''m testing from another subnet outside the firewall, acting as >>> "net" zone (192.168.1.0/24) I guess that will not be a problem. >>> - I''m sure its bypassing the rate-limit I set because "shorewall hits" >>> reports no hit with high rate connection tries. >> >> And this high connection rate is from a single IP address, correct? >> >> -Tom >> -- >> Tom Eastep \ When I die, I want to go like my Grandfather who >> Shoreline, \ died peacefully in his sleep. Not screaming like >> Washington, USA \ all of the passengers in his car >> http://shorewall.net \________________________________________________ >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today''s security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 04/30/2012 10:33 AM, Pau Beltrán wrote:> Sorry, from the IP 192.168.1.4 >Something is wrong with your testing then, because *none* of your DNAT rules have been hit at all: Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7171 to:192.168.2.2 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.2.2:8090 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8090 to:192.168.2.2:8090 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Sorry Tom, I sent you the dump without testing before. Now I attach a dump with previous testing connecting from 192.168.1.4 to port 80 with a new discover... It realized, playing with the shorewall show nat, that the number of packets of the counter matches with what the limit is suposed to do, it looks like the limit its working. The strange thing is that the requested HTTP page that I''m connecting to its updated everytime. I press F5 at a higher rate, giving me a diferent timestamp on every request. A diferent timestamp shows me that cache is not acting and the request reaches its destination (192.168.2.2). In other words, I press F5, I get a fresh page in response but "shorewall show nat" counters remains at the same value. I wait a few seconds, hit F5 again, get a fresh page and the counter is increased. It seems that the rate-limit works cutting the DNAT rule (as the counter shows), but the request reaches its destination anyway. I can''t understand why... I put the "public" ip of the firewall in the browser (192.168.1.135). Only a DNAT rule can take me to 192.168.2.2. Regards. 2012/4/30 Tom Eastep <teastep@shorewall.net>:> On 04/30/2012 10:33 AM, Pau Beltrán wrote: >> Sorry, from the IP 192.168.1.4 >> > > Something is wrong with your testing then, because *none* of your DNAT > rules have been hit at all: > > Chain net_dnat (1 references) > pkts bytes target prot opt in out source > destination > 0 0 DNAT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:7171 to:192.168.2.2 > 0 0 DNAT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:80 to:192.168.2.2:8090 > 0 0 DNAT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:8090 to:192.168.2.2:8090 > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 4/30/12 12:09 PM, Pau Beltrán wrote:> Sorry Tom, I sent you the dump without testing before. Now I attach a > dump with previous testing connecting from 192.168.1.4 to port 80 with > a new discover... > > It realized, playing with the shorewall show nat, that the number of > packets of the counter matches with what the limit is suposed to do, > it looks like the limit its working. The strange thing is that the > requested HTTP page that I''m connecting to its updated everytime. I > press F5 at a higher rate, giving me a diferent timestamp on every > request. A diferent timestamp shows me that cache is not acting and > the request reaches its destination (192.168.2.2). In other words, I > press F5, I get a fresh page in response but "shorewall show nat" > counters remains at the same value. I wait a few seconds, hit F5 > again, get a fresh page and the counter is increased. > > It seems that the rate-limit works cutting the DNAT rule (as the > counter shows), but the request reaches its destination anyway. I > can''t understand why... I put the "public" ip of the firewall in the > browser (192.168.1.135). Only a DNAT rule can take me to 192.168.2.2.Your browser doesn''t close the connection immediately. So hitting F5 doesn''t necessarily create a new connection. Remember that rate-limiting only affect *new connections*. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Tom, it works perfectly. I''m sorry, I was wrong on my tests as you said. I''ve just tested LOIC against my Shorewall and it dropped and logged perfectly. Thanks for your time and thanks for Shorewall, I''m really enjoying it. Best regards! 2012/4/30 Tom Eastep <teastep@shorewall.net>:> On 4/30/12 12:09 PM, Pau Beltrán wrote: >> Sorry Tom, I sent you the dump without testing before. Now I attach a >> dump with previous testing connecting from 192.168.1.4 to port 80 with >> a new discover... >> >> It realized, playing with the shorewall show nat, that the number of >> packets of the counter matches with what the limit is suposed to do, >> it looks like the limit its working. The strange thing is that the >> requested HTTP page that I''m connecting to its updated everytime. I >> press F5 at a higher rate, giving me a diferent timestamp on every >> request. A diferent timestamp shows me that cache is not acting and >> the request reaches its destination (192.168.2.2). In other words, I >> press F5, I get a fresh page in response but "shorewall show nat" >> counters remains at the same value. I wait a few seconds, hit F5 >> again, get a fresh page and the counter is increased. >> >> It seems that the rate-limit works cutting the DNAT rule (as the >> counter shows), but the request reaches its destination anyway. I >> can''t understand why... I put the "public" ip of the firewall in the >> browser (192.168.1.135). Only a DNAT rule can take me to 192.168.2.2. > > Your browser doesn''t close the connection immediately. So hitting F5 > doesn''t necessarily create a new connection. Remember that rate-limiting > only affect *new connections*. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/