forked from extern/shorewall_code
Log syn-flood protection drops
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1799 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
35f5ccba79
commit
e73d3149d9
@ -99,3 +99,7 @@ Changes in 2.0.12
|
||||
Changes in 2.0.13
|
||||
|
||||
1) Correct typo in "shorewall add" code.
|
||||
|
||||
Changes in 2.0.14
|
||||
|
||||
1) Log drops due to policy rate limiting.
|
||||
|
@ -1844,8 +1844,9 @@ setup_mac_lists() {
|
||||
setup_syn_flood_chain ()
|
||||
# $1 = policy chain
|
||||
# $2 = synparams
|
||||
# $3 = loglevel
|
||||
{
|
||||
local chain=$1
|
||||
local chain=@$1
|
||||
local limit=$2
|
||||
local limit_burst=
|
||||
|
||||
@ -1856,9 +1857,11 @@ setup_syn_flood_chain ()
|
||||
;;
|
||||
esac
|
||||
|
||||
run_iptables -N @$chain
|
||||
run_iptables -A @$chain -m limit --limit $limit $limit_burst -j RETURN
|
||||
run_iptables -A @$chain -j DROP
|
||||
run_iptables -N $chain
|
||||
run_iptables -A $chain -m limit --limit $limit $limit_burst -j RETURN
|
||||
[ -n "$3" ] && \
|
||||
log_rule_limit $3 $chain $chain DROP "-m limit --limit 5/min --limit-burst 5" "" ""
|
||||
run_iptables -A $chain -j DROP
|
||||
}
|
||||
|
||||
#
|
||||
@ -5248,7 +5251,7 @@ apply_policy_rules() {
|
||||
eval loglevel=\$${chain}_loglevel
|
||||
eval synparams=\$${chain}_synparams
|
||||
|
||||
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams
|
||||
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
|
||||
|
||||
if havechain $chain; then
|
||||
[ -n "$synparams" ] && \
|
||||
|
@ -247,3 +247,11 @@ Problems corrected in 2.0.13
|
||||
|
||||
/usr/share/shorewall/firewall: line 1: match_destination_hosts: command
|
||||
not found
|
||||
-----------------------------------------------------------------------
|
||||
New Features in 2.0.14
|
||||
|
||||
1) Previously, when rate-limiting was specified in
|
||||
/etc/shorewall/policy (LIMIT:BURST column), any traffic which
|
||||
exceeded the specified rate was silently dropped. Now, if a log
|
||||
level is given in the entry (LEVEL column) then drops are logged at
|
||||
that level at a rate of 5/min with a burst of 5.
|
||||
|
@ -167,4 +167,7 @@ Changes since 2.0.3
|
||||
|
||||
81) Correct OUTPUT handling of dynamic zones.
|
||||
|
||||
82) Add adapter statistics to the output of "shorewall status".
|
||||
83) Add adapter statistics to the output of "shorewall status".
|
||||
|
||||
84) Log drops due to policy rate limiting.
|
||||
|
||||
|
@ -2082,8 +2082,9 @@ setup_mac_lists() {
|
||||
setup_syn_flood_chain ()
|
||||
# $1 = policy chain
|
||||
# $2 = synparams
|
||||
# $3 = loglevel
|
||||
{
|
||||
local chain=$1
|
||||
local chain=@$1
|
||||
local limit=$2
|
||||
local limit_burst=
|
||||
|
||||
@ -2094,9 +2095,11 @@ setup_syn_flood_chain ()
|
||||
;;
|
||||
esac
|
||||
|
||||
run_iptables -N @$chain
|
||||
run_iptables -A @$chain -m limit --limit $limit $limit_burst -j RETURN
|
||||
run_iptables -A @$chain -j DROP
|
||||
run_iptables -N $chain
|
||||
run_iptables -A $chain -m limit --limit $limit $limit_burst -j RETURN
|
||||
[ -n "$3" ] && \
|
||||
log_rule_limit $3 $chain $chain DROP "-m limit --limit 5/min --limit-burst 5" "" ""
|
||||
run_iptables -A $chain -j DROP
|
||||
}
|
||||
|
||||
#
|
||||
@ -6142,7 +6145,7 @@ apply_policy_rules() {
|
||||
eval loglevel=\$${chain}_loglevel
|
||||
eval synparams=\$${chain}_synparams
|
||||
|
||||
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams
|
||||
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams $loglevel
|
||||
|
||||
if havechain $chain; then
|
||||
[ -n "$synparams" ] && \
|
||||
|
@ -770,3 +770,9 @@ New Features:
|
||||
33) The output of "shorewall status" now includes the results of "ip
|
||||
-stat link ls". This helps diagnose performance problems caused by
|
||||
link errors.
|
||||
|
||||
34) Previously, when rate-limiting was specified in
|
||||
/etc/shorewall/policy (LIMIT:BURST column), any traffic which
|
||||
exceeded the specified rate was silently dropped. Now, if a log
|
||||
level is given in the entry (LEVEL column) then drops are logged at
|
||||
that level at a rate of 5/min with a burst of 5.
|
||||
|
Loading…
Reference in New Issue
Block a user