holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add Limit as a standard action

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3171 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-12-15 22:42:39 +00:00
parent 9ff2efcedd
commit 5b3fef21a8
7 changed files with 73 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
Shorewall/Limit Normal file
View File

@ -0,0 +1,22 @@
#
# Shorewall version 3.0 -- Extension Script to create Limit action.
#
# /usr/share/shorewall/Limit
##############################################################################
set -- $(separate_list $TAG)
[ $# -eq 3 ] || fatal_error "Rule must include <set name>,<max connections>,<interval> as the log tag"
run_iptables -A $CHAIN -m recent --name $1 --set
if [ -n "$LEVEL" ]; then
run_iptables -N $CHAIN%
log_rule_limit $LEVEL $CHAIN% $1 DROP "" "" -A
run_iptables -A $CHAIN% -j DROP
run_iptables -A $CHAIN -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $CHAIN%
else
run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP
fi
run_iptables -A $CHAIN -j ACCEPT

29
Shorewall/action.Limit Normal file
View File

@ -0,0 +1,29 @@
#
# Shorewall version 3.0 - Limit Action
#
# /usr/share/shorewall/action.Limit
#
# Invoke this action as follows:
#
# Limit:<log level>:<set name>,<count>,<seconds>
#
# Where:
#
# <log level> = none, if you don't want rejected packets dropped
# = A log level otherwise.
# <set name> = The name you want to assign to the
# 'recent set' that tracks this rate
# <count>/<seconds> = The rate at which you are willing to accept
# connections
# Example:
# Limit:info:SSHA,3,60 Logs at the info level, uses a recent set
# named "SSHA" and accepts connections at a
# maximum rate of 3/minute.
#
###############################################################################
#TARGET SOURCE DEST PROTO DPORT SPORT
#
# This action has no rules. It is created entirely by the Limit extension
# script /usr/share/shorewall/Limit
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

5
Shorewall/actions.std
View File

@ -23,6 +23,7 @@
# #
############################################################################### ###############################################################################
#ACTION #ACTION
Drop:DROP # Common Action for DROP policy Drop:DROP # Common Action for DROP policy
Reject:REJECT # Common Action for REJECT policy Reject:REJECT # Common Action for REJECT policy
Limit # Limit the rate of connections from each individual IP
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

2
Shorewall/changelog.txt
View File

@ -2,6 +2,8 @@ Changes in 3.0.4
1) Console-friendly version of shorewall.conf. 1) Console-friendly version of shorewall.conf.
2) Add 'Limit' as a standard action.
Changes in 3.0.3 Changes in 3.0.3
1) Implement "shorewall show macros" 1) Implement "shorewall show macros"

3
Shorewall/install.sh
View File

@ -577,6 +577,9 @@ for f in action.* ; do
echo echo
echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f" echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall/$f"
done done
install_file Limit ${PREFIX}/usr/share/shorewall/Limit 0600
echo "Limit action extension script installed as ${PREFIX}/usr/share/shorewall/Limit"
# #
# Install the Macro files # Install the Macro files
# #

18
Shorewall/shorewall
View File

@ -911,15 +911,15 @@ case "$1" in
report_capabilities report_capabilities
;; ;;
actions) actions)
echo "allowBcast #Silently Allow Broadcast/multicast" echo "allowBcast # Silently Allow Broadcast/multicast"
echo "dropBcast #Silently Drop Broadcast/multicast" echo "dropBcast # Silently Drop Broadcast/multicast"
echo "dropNotSyn #Silently Drop Non-syn TCP packets" echo "dropNotSyn # Silently Drop Non-syn TCP packets"
echo "rejNotSyn #Silently Reject Non-syn TCP packets" echo "rejNotSyn # Silently Reject Non-syn TCP packets"
echo "dropInvalid #Silently Drop packets that are in the INVALID conntrack state" echo "dropInvalid # Silently Drop packets that are in the INVALID conntrack state"
echo "allowInvalid #Accept packets that are in the INVALID conntrack state." echo "allowInvalid # Accept packets that are in the INVALID conntrack state."
echo "allowoutUPnP #Allow traffic from local command 'upnpd'" echo "allowoutUPnP # Allow traffic from local command 'upnpd'"
echo "allowinUPnP #Allow UPnP inbound (to firewall) traffic" echo "allowinUPnP # Allow UPnP inbound (to firewall) traffic"
echo "forwardUPnP #Allow traffic that upnpd has redirected from" echo "forwardUPnP # Allow traffic that upnpd has redirected from"
cat /usr/share/shorewall/actions.std /etc/shorewall/actions | grep -Ev '^\#|^$' cat /usr/share/shorewall/actions.std /etc/shorewall/actions | grep -Ev '^\#|^$'
;; ;;
macros) macros)

6
Shorewall/shorewall.spec
View File

@ -106,11 +106,13 @@ fi
%attr(0600,root,root) /usr/share/shorewall/version %attr(0600,root,root) /usr/share/shorewall/version
%attr(0600,root,root) /usr/share/shorewall/actions.std %attr(0600,root,root) /usr/share/shorewall/actions.std
%attr(0600,root,root) /usr/share/shorewall/action.Drop %attr(0600,root,root) /usr/share/shorewall/action.Drop
%attr(0600,root,root) /usr/share/shorewall/action.Limit
%attr(0600,root,root) /usr/share/shorewall/action.Reject %attr(0600,root,root) /usr/share/shorewall/action.Reject
%attr(0600,root,root) /usr/share/shorewall/action.template %attr(0600,root,root) /usr/share/shorewall/action.template
%attr(0444,root,root) /usr/share/shorewall/functions %attr(0444,root,root) /usr/share/shorewall/functions
%attr(0544,root,root) /usr/share/shorewall/firewall %attr(0544,root,root) /usr/share/shorewall/firewall
%attr(0544,root,root) /usr/share/shorewall/help %attr(0544,root,root) /usr/share/shorewall/help
%attr(0600,root,root) /usr/share/shorewall/Limit
%attr(0600,root,root) /usr/share/shorewall/macro.AllowICMPs %attr(0600,root,root) /usr/share/shorewall/macro.AllowICMPs
%attr(0600,root,root) /usr/share/shorewall/macro.Amanda %attr(0600,root,root) /usr/share/shorewall/macro.Amanda
%attr(0600,root,root) /usr/share/shorewall/macro.Auth %attr(0600,root,root) /usr/share/shorewall/macro.Auth
@ -146,7 +148,7 @@ fi
%attr(0600,root,root) /usr/share/shorewall/macro.SVN %attr(0600,root,root) /usr/share/shorewall/macro.SVN
%attr(0600,root,root) /usr/share/shorewall/macro.Syslog %attr(0600,root,root) /usr/share/shorewall/macro.Syslog
%attr(0600,root,root) /usr/share/shorewall/macro.Telnet %attr(0600,root,root) /usr/share/shorewall/macro.Telnet
%attr(0600,root,root) /usr/share/shorewall/macro.template %attr(0600,root,root) /usr/share/shorewall/macro.template%
%attr(0600,root,root) /usr/share/shorewall/macro.Trcrt %attr(0600,root,root) /usr/share/shorewall/macro.Trcrt
%attr(0600,root,root) /usr/share/shorewall/macro.VNC %attr(0600,root,root) /usr/share/shorewall/macro.VNC
%attr(0600,root,root) /usr/share/shorewall/macro.VNCL %attr(0600,root,root) /usr/share/shorewall/macro.VNCL
@ -158,6 +160,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
%changelog %changelog
* Thu Dec 15 2005 Tom Eastep tom@shorewall.net
- Add Limit action
* Mon Dec 12 2005 Tom Eastep tom@shorewall.net * Mon Dec 12 2005 Tom Eastep tom@shorewall.net
- Updated to 3.0.3-1 - Updated to 3.0.3-1
* Tue Nov 22 2005 Tom Eastep tom@shorewall.net * Tue Nov 22 2005 Tom Eastep tom@shorewall.net