Hi, I have created a very basic shorewall configuration with only one rule for rate limiting outgoing ICMP port unreachable packets. However when I look at the rules created I can see an extra rate limiting rule like this: Chain @net2fw (1 references) pkts bytes target prot opt in out source destination 28114 1646K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 50 3168 190K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 I trust that Shorewall does the right thing, and although I didn''t ask for this particular rate limiting I am guessing that this shouldn''t be causing any problems. But my colleagues are requiring an explanation and claim that this is affecting normal traffic. My suspicion is that this comes from the ''tcpflags'' setting in interfaces and that its rate limiting incoming invalid packets? interfaces: net eth0 detect tcpflags,nosmurfs,arp_filter,arp_ignore=1,routefilter zones: fw firewall net ipv4 - - - poilicy: $FW $FW ACCEPT - - $FW net ACCEPT - - net $FW ACCEPT - 10/sec:50 rules: ACCEPT fw all icmp port-unreachable - - 100/sec:5 - ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It''s a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
On 08/13/2013 06:59 AM, Steve Wray wrote:> Hi, > > I have created a very basic shorewall configuration with only one rule > for rate limiting outgoing ICMP port unreachable packets. > > However when I look at the rules created I can see an extra rate > limiting rule like this: > > Chain @net2fw (1 references) > pkts bytes target prot opt in out source > destination > 28114 1646K RETURN all -- * * 0.0.0.0/0 > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> > limit: avg 10/sec burst 50 > 3168 190K DROP all -- * * 0.0.0.0/0 > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> > > I trust that Shorewall does the right thing, and although I didn''t ask > for this particular rate limiting I am guessing that this shouldn''t be > causing any problems. > > But my colleagues are requiring an explanation and claim that this is > affecting normal traffic. > > My suspicion is that this comes from the ''tcpflags'' setting in > interfaces and that its rate limiting incoming invalid packets? > > interfaces: > net eth0 detect tcpflags,nosmurfs,arp_filter,arp_ignore=1,routefilter > > zones: > fw firewall > net ipv4 - - - > > poilicy: > $FW $FW ACCEPT - - > $FW net ACCEPT - - > net $FW ACCEPT - 10/sec:50 <=======================================-Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It''s a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
uh, thanks for pointing out the obvious, Tom! Now I have to figure out how THAT got there... On 13 August 2013 22:05, Tom Eastep <teastep@shorewall.net> wrote:> On 08/13/2013 06:59 AM, Steve Wray wrote: > > Hi, > > > > I have created a very basic shorewall configuration with only one rule > > for rate limiting outgoing ICMP port unreachable packets. > > > > However when I look at the rules created I can see an extra rate > > limiting rule like this: > > > > Chain @net2fw (1 references) > > pkts bytes target prot opt in out source > > destination > > 28114 1646K RETURN all -- * * 0.0.0.0/0 > > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> > > limit: avg 10/sec burst 50 > > 3168 190K DROP all -- * * 0.0.0.0/0 > > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> > > > > I trust that Shorewall does the right thing, and although I didn''t ask > > for this particular rate limiting I am guessing that this shouldn''t be > > causing any problems. > > > > But my colleagues are requiring an explanation and claim that this is > > affecting normal traffic. > > > > My suspicion is that this comes from the ''tcpflags'' setting in > > interfaces and that its rate limiting incoming invalid packets? > > > > interfaces: > > net eth0 detect tcpflags,nosmurfs,arp_filter,arp_ignore=1,routefilter > > > > zones: > > fw firewall > > net ipv4 - - - > > > > poilicy: > > $FW $FW ACCEPT - - > > $FW net ACCEPT - - > > net $FW ACCEPT - 10/sec:50 <=======================================> > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It''s a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It''s a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk