diff --git a/docs/Actions.xml b/docs/Actions.xml
index 8a45f626a..ccbd63eb2 100644
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -188,6 +188,152 @@ Reject:REJECT #Default Action for REJECT policy
+
+ Limiting Per-IP Connection Rate
+
+
+ Debian users. This feature is broken in the Debian version 3.0.7
+ of Shorewall (and possibly in other versions). The file
+ /usr/share/shorewall/Limit was inadvertently dropped
+ from the .deb. That file may be obtained from Shorewall
+ SVN and installed manually.
+
+
+ Beginning with Shorewall 3.0.4, Shorewall has a 'Limit' action. Limit is invoked with a comma-separated
+ list in place of a logging tag. The list has three elements:
+
+
+
+ The name of a 'recent' set; you select the set name which must
+ conform to the rules for a valid chain name. Different rules that
+ specify the same set name will use the same set of counters.
+
+
+
+ The number of connections permitted in a specified time
+ period.
+
+
+
+ The time period, expressed in seconds.
+
+
+
+ Connections that exceed the specified rate are dropped.
+
+ For example,to use a recent set name of SSHA, and to limiting SSH to 3 per minute, use this
+ entry in /etc/shorewall/rules:
+
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
+Limit:none:SSHA,3,60 net $FW tcp 22
+
+ If you want dropped connections to be logged at the info level, use
+ this rule instead:
+
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
+Limit:info:SSHA,3,60 net $FW tcp 22
+
+ To summarize, you pass four pieces of information to the Limit
+ action:
+
+
+
+ The log level. If you don't want to log, specify "none".
+
+
+
+ The name of the recent set that you want to use ("SSHA" in this
+ example).
+
+
+
+ The maximum number of connections to accept (3 in this
+ example).
+
+
+
+ The number of seconds over which you are willing to accept that
+ many connections (60 in this example).
+
+
+
+
+ How Limit is Implemented
+
+ For those who are curious, the Limit action is implemented in
+ Shorewall 3.0 and Shorewall 3.2 as follows:
+
+
+
+ The file
+ /usr/share/shorewall/action.Limit is
+ empty.
+
+
+
+ The file /usr/share/shorewall/Limit is as
+ follows:
+
+ set -- $(separate_list $TAG)
+
+[ $# -eq 3 ] || fatal_error "Rule must include <set name>,<max connections>,<interval> as the log tag"
+
+run_iptables -A $CHAIN -m recent --name $1 --set
+
+if [ -n "$LEVEL" ]; then
+ run_iptables -N $CHAIN%
+ log_rule_limit $LEVEL $CHAIN% $1 DROP "" "" -A
+ run_iptables -A $CHAIN% -j DROP
+ run_iptables -A $CHAIN -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $CHAIN%
+else
+ run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP
+fi
+
+run_iptables -A $CHAIN -j ACCEPT
+
+
+
+ In Shorewall 3.3, Limit is made into a built-in action; basically
+ that means that the above code now lives inside of Shorewall rather than
+ in a separate file.
+
+ For completeness, here's the above
+ /usr/share/shorewall/Limit for use with
+ Shorewall-perl:
+
+ my @tag = split /,/, $tag;
+
+fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
+ unless @tag == 3;
+
+my $set = $tag[0];
+
+for ( @tag[1,2] ) {
+ fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
+}
+
+my $count = $tag[1] + 1;
+
+add_rule $chainref, "-m recent --name $set --set";
+
+if ( $level ) {
+ my $xchainref = new_chain 'filter' , "$chainref->{name}%";
+ log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
+ add_rule $xchainref, '-j DROP';
+ add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
+} else {
+ add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
+}
+
+add_rule $chainref, '-j ACCEPT';
+
+1;
+
+
+
Defining your own Actions
diff --git a/docs/PortKnocking.xml b/docs/PortKnocking.xml
index 3a9413a22..80a83afa6 100644
--- a/docs/PortKnocking.xml
+++ b/docs/PortKnocking.xml
@@ -176,7 +176,8 @@ SSHKnock net loc:192.168.1.5 tcp 22 -
of Shorewall (and possibly in other versions). The file
/usr/share/shorewall/Limit was inadvertently
dropped from the .deb. That file may be obtained from Shorewall SVN and installed manually.
+ url="http://shorewall.svn.sourceforge.net/viewvc/*checkout*/shorewall/tags/3.0.7/Shorewall/Limit?revision=3888">Shorewall
+ SVN and installed manually.
Beginning with Shorewall 3.0.4, Shorewall has a 'Limit'
-
\ No newline at end of file
+