I''ve tried to create a per-IP rate limit in /etc/shorewall/rules: Limit(HTTPRate,25,1):none all dmz:A.B.C.D tcp http shorewall compile succeeds (0 exit code) shorewall restart fails: iptables-restore: line 905 failed ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input Removing that one rule makes it work again. I looked at the contents of the restore file and the generated iptables "recent" rules look correct. I''m using the Debian package v4.5.16.1-1 ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 07/02/2013 11:07 AM, Daniel Pocock wrote:> > > I''ve tried to create a per-IP rate limit in /etc/shorewall/rules: > > Limit(HTTPRate,25,1):none all dmz:A.B.C.D tcp http > >Limit has been deprecated for some time. You should be using the ''RATE LIMIT'' column. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 02/07/13 21:20, Tom Eastep wrote:> On 07/02/2013 11:07 AM, Daniel Pocock wrote: >> >> >> I''ve tried to create a per-IP rate limit in /etc/shorewall/rules: >> >> Limit(HTTPRate,25,1):none all dmz:A.B.C.D tcp http >> >> > > Limit has been deprecated for some time. You should be using the ''RATE > LIMIT'' column.I understand it was deprecated and the rate limit column does work However, I was keen to have the per-IP rate limit to protect from crude DoS attacks, and the rate limit column doesn''t appear to support that. ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 07/02/2013 12:38 PM, Daniel Pocock wrote:> > > On 02/07/13 21:20, Tom Eastep wrote: >> On 07/02/2013 11:07 AM, Daniel Pocock wrote: >>> >>> >>> I''ve tried to create a per-IP rate limit in /etc/shorewall/rules: >>> >>> Limit(HTTPRate,25,1):none all dmz:A.B.C.D tcp http >>> >>> >> >> Limit has been deprecated for some time. You should be using the ''RATE >> LIMIT'' column. > > I understand it was deprecated and the rate limit column does work > > However, I was keen to have the per-IP rate limit to protect from crude > DoS attacks, and the rate limit column doesn''t appear to support that.The RATE LIMIT column supports per-IP rate limiting. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 02/07/13 21:42, Tom Eastep wrote:> On 07/02/2013 12:38 PM, Daniel Pocock wrote: >> >> >> On 02/07/13 21:20, Tom Eastep wrote: >>> On 07/02/2013 11:07 AM, Daniel Pocock wrote: >>>> >>>> >>>> I''ve tried to create a per-IP rate limit in /etc/shorewall/rules: >>>> >>>> Limit(HTTPRate,25,1):none all dmz:A.B.C.D tcp http >>>> >>>> >>> >>> Limit has been deprecated for some time. You should be using the ''RATE >>> LIMIT'' column. >> >> I understand it was deprecated and the rate limit column does work >> >> However, I was keen to have the per-IP rate limit to protect from crude >> DoS attacks, and the rate limit column doesn''t appear to support that. > > The RATE LIMIT column supports per-IP rate limiting. >I had come across this post which suggests that "Limit" is used for per-IP and that the RATE LIMIT column is aggregate: http://copilotco.com/mail-archives/shorewall.2009/msg00362.html I''ve just found this page as well: http://www.shorewall.net/ConnectionRate.html and reading it carefully, it gives me the impression that the "s:" or "d:" prefixes can create the same effect - is that correct? ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev