How do I suppress logging on packets that are over the CONNLIMIT? Users downloading from our server will use multiple wgets to maximize the amount that they can download. It''s not the best technique, but it''s human nature to go for the simplest workaround. To avoid a DOS from one person trying to download dozens of files at once, we''re using a CONNLIMIT rule. This fixes the accidental DOS problem, but produces a lot of syslog messages. Is there a way to suppress logging on CONNLIMIT rules? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/13/2012 11:32 AM, J Jude wrote:> How do I suppress logging on packets that are over the CONNLIMIT? > > Users downloading from our server will use multiple wgets to maximize the amount > that they can download. It''s not the best technique, but it''s human nature to > go for the simplest workaround. > > To avoid a DOS from one person trying to download dozens of files at once, we''re > using a CONNLIMIT rule. This fixes the accidental DOS problem, but produces a > lot of syslog messages. > > Is there a way to suppress logging on CONNLIMIT rules?I assume that you are referring to the CONNLIMIT column in the policy file as opposed to the CONNLIMIT column in the rules file. All policy-related logging is controlled by the LOG LEVEL column in the policy file. It is not possible to disable CONNLIMIT logging without eliminating all logging under the policy. I suggest adding CONNLIMIT rules to your rules file and removing the CONNLIMIT entries from the policy file if you don''t want logging. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Tom Eastep <teastep <at> shorewall.net> writes:> On 06/13/2012 11:32 AM, J Jude wrote: > > How do I suppress logging on packets that are over the CONNLIMIT? > I assume that you are referring to the CONNLIMIT column in the policy > file as opposed to the CONNLIMIT column in the rules file.No, it really is CONNLIMIT in rules, not policy, because it''s port specific. Accepted packets on the rule do not log anything. Packets rejected for CONNLIMIT are logged. Here is the current rule: ACCEPT net:0.0.0.0/0 $FW tcp http,https - - - - - 10 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/14/2012 09:36 AM, J Jude wrote:> Tom Eastep<teastep<at> shorewall.net> writes: >> On 06/13/2012 11:32 AM, J Jude wrote: >>> How do I suppress logging on packets that are over the CONNLIMIT? >> I assume that you are referring to the CONNLIMIT column in the policy >> file as opposed to the CONNLIMIT column in the rules file. > > No, it really is CONNLIMIT in rules, not policy, because it''s port specific. > Accepted packets on the rule do not log anything. Packets rejected for > CONNLIMIT are logged. > > Here is the current rule: > > ACCEPT net:0.0.0.0/0 $FW tcp http,https - - - - - 10It''s not that rule that is logging -- it''s the policy. So, you want to follow that rule with DROP net $FW http,https -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/