similar to: Limiting Connections Per IP

I think it would be nice to be able to rate limit an action, too.. suppose I have an action named Accept_good_source : ACCEPT - - tcp - 1024:65535 ACCEPT - - udp - 1024:65535 and that i want to use it in an action called AllowCVS, i can''t limit the cvs usage, but only the general use of Accept_good_source... same goes for userset... as each rule will give one iptables command, I

I am trying to rate limit a particular user/ip''s news traffic and have added the line ACCEPT loc:10.5.75.253 net tcp 119 - - 1/sec:2 While this has slowed down the traffic, it has not throttled it to the point I would like. Yet with a sniffer I can see around 15 packets a second going thru. My T1 is close to saturation, and I would like to

I have problem with IP public, my Network configuration [wireless] <------> [Router] <------ > [ Linux proxy ] < ------ > [Client ] IP configuration [202.123.123.1] <------->[202.123.123.2 and 192.168.0.1] < ------ > [192.168.0.2 and 202.123.123.3] < ------ > [202.123.123.4] this configuration will use IP 202.123.123.2 on internet how to config my network

Cristian and Alex, Both of you have asked about this. A routing table can only have one default route so when the second link comes up, adding the second default route will fail. So in general, Shorewall can only reliably detect the gateway for P-T-P connections which is what the CVS current code does. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \

I''ve got a Shorewall firewall setup that''s similar to the standard 3 interface configuration (net,loc,dmz). Several ports are forwarded from the internet to computers in the dmz. I''d like to have any connections to that same public IP address from either loc or dmz to be treated exactly as if they were coming in from the internet itself. There''s some

Firewall users, My apologies as I''m not on this list, so please respond directly as well as to the list. I did try to search the archives and didn''t find any hits, although the search did not like searching for terms with underscores in them (both clear_firewall and ip_forward). I was trying to understand why, when running shorewall stop, even though it echoes IP

I was wondering if anyone had implemented rules like this in shorewall: http://blog.andrew.net.au/tech I see tons of brute force attempts on the machines I administer, and I like the idea of limiting them without the need for extra daemons scanning for attacks. Thanks, Dale -- Dale E. Martin - dale@the-martins.org http://the-martins.org/~dmartin

Hello Shorewall gurus, as outlined on the shorewall site I have done the following after failure to install shorewall via the rpm: I have read all of the FAQ. I have read the quickstart guide with particular attention directed at the Mandrake solution. I have searched the mailing list archives (all old replies). I have studied the documentation index. I have previous experience using shorewall

I just installed Fedora Core 3 uname -r 2.6.9-1.667 I got the latest shorewall''s rpm: http://www.shorewall.net/pub/shorewall/2.2/shorewall-2.2.0/shorewall-2.2.0-1 .noarch.rpm Made my changes Attempted to run shorewall and got: [root@demo shorewall]# shorewall start ERROR: Can''t find iptables executable I haven''t seen this before. I tried to go through all the

Hi, I''ve to restart shorewall when my dynamic IP was changed from my ISP. Of course i can with a shell script do it automatically, but the question is still there.. why ? mess-mate -- "I understand this is your first dead client," Sabian was saying. The absurdity of the statement made me want to laugh but they don''t call me Deadpan

hi there. There are approx. 400-500 users in our network and we plan to insert all their MAC addresses into maclist and bind them together with IP address. My question is whether shorewall is able to process that much of MAC addresses without slowing the the network speed performance? thanks for your time. __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new

I have had Shorewall 2.0.8 up and running for a month or so. Now I need to change some things around. Currently I am running on a private IP scheme and Shorewall is setup based on the 3 interface guide. Now I want to change to a public scheme on my "loc" zone. I have a /24 block of public IP''s. I need my private scheme and public to co-exist so I currently have is eth1 (local)

We are using Shorewall 2.0.8 with SuSE 9.1 and have built a bridging firewall primarily to defend against syn flood and smurf DoS attacks. We are a small ISP using Cisco routers for a total of 5-6 subnets. Since bridges are based on use of MAC addresses, if we could use one bridging firewall system instead of 5-6 ... is this possible? practical? (Other than introducing a single point of failure

Hi all, I''m trying to set up a transparent proxy with dansguardian, and running into some strange issues with the squid setup without dansguardian. I have used shorewall for quite some time, and I''m stumped as to why I can''t get this to work. Here is a brief synopsis of my network. loc --> gateway/firewall--> net I have the following policies: #firewall to

Hi, when i do shorewall check.. it said "IP range Match: Not available" I''m using Red Hat 9.. My question.. how can I to make available IP Range in my system? I need IP Range feature for my MASQURADING.. Thanks. Owel :) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

I''ve found the below rule, is it possible to use it with shorewall? I see how to setup the timing/rates but how to perform loggin of such action (a separate rule?). as an additional question is i possible to dynamically add hosts to blacklist and persist this between restarts? " SSH -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck --hitcount 3 --seconds 600 -j

Robin Lynn Frank wrote: > I have an entire /8 blacklisted. The problem is there is a single IP in > it I want to exempt from this. Searching the web site, I note there > used to be (circa version 1.3) a whitelist feature, but I couldn''t find > a simple solution to what I want to do. > > What would be the bes/easiest way to accomplish this? I can''t think of a

Having moved from a "cascading LANs" configuration to two independent LANs on eth0 and eth1, I still get some "state INVALID" for which I am not sure what the cause is. Can somebody help me understand its probable origin? Thanks, Costantino [see attachment]

Hello there, I can modify /etc/shorewall/tcdevices to control overall IN-BANDWITH. It is quite effective. Just change 2mbit to 128kbit. However, how do I limit download speed for a certain host IP on the LAN? I want to limit host 192.168.1.140 download speed to 128Kbit. Other hosts on the 192.168.1.0 LAN can still surf at 2mbit. Any input welcome. Kind Regards, Michael

Hello All, I am using shorewall 2.0.7. first i give you my config here and will tell you my problem. ProxyARP: 203.77.204.85 eth1 eth0 no Interface: net eth0 203.77.204.87 loc eth1 192.168.0.255 routeback Masq : eth0 192.168.0.0/24 203.77.204.86 Rules: # Squid access REDIRECT loc 8080 tcp