diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml
index 2b5690f7d..a88e69a37 100644
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -18,7 +18,7 @@
- 2001-2008
+ 2001-2009
Thomas M. Eastep
@@ -57,7 +57,7 @@
6to4 Tunnels
- Limiting per-IPaddress
+ Limiting per-IPaddress
Connection Rate
Shorewall
diff --git a/docs/Macros.xml b/docs/Macros.xml
index 79e87c3b6..bd3bde270 100644
--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -133,11 +133,11 @@ ACCEPT loc fw udp 1024: 137
ACCEPT loc fw tcp 135,139,445
- Shorewall versions 4.2.0 and later:
- When invoking a parameterized macro, you follow the name of the macro with
- the action that you want to substitute for PARAM enclosed in parentheses.
- The older syntax described above is still supported but is
- deprecated.
+ Shorewall-perl versions 4.2.0 and
+ later: When invoking a parameterized macro, you follow the name
+ of the macro with the action that you want to substitute for PARAM
+ enclosed in parentheses. The older syntax described above is still
+ supported but is deprecated.
Example:
@@ -308,7 +308,8 @@ ACCEPT fw loc tcp 135,139,445
'Drop' macros that are equivalent to the 'Reject' and 'Drop'
actions.
- Default Macros are not supported by Shorewall-perl.
+ Default Macros are not supported by
+ Shorewall-perl.
diff --git a/docs/PortKnocking.xml b/docs/PortKnocking.xml
index 077022cae..809cc0d4b 100644
--- a/docs/PortKnocking.xml
+++ b/docs/PortKnocking.xml
@@ -22,6 +22,8 @@
2006
+ 2009
+
Thomas M. Eastep
@@ -173,146 +175,7 @@ SSHKnock net loc:192.168.1.5 tcp 22 -
Limiting Per-IP Connection Rate
-
- Debian users. This feature is broken in the Debian version 3.0.7
- of Shorewall (and possibly in other versions). The file
- /usr/share/shorewall/Limit was inadvertently
- dropped from the .deb. That file may be obtained from Shorewall
- SVN and installed manually.
-
-
- Beginning with Shorewall 3.0.4, Shorewall has a 'Limit' action. Limit is invoked with a comma-separated
- list in place of a logging tag. The list has three elements:
-
-
-
- The name of a 'recent' set; you select the set name which must
- conform to the rules for a valid chain name. Different rules that
- specify the same set name will use the same set of counters.
-
-
-
- The number of connections permitted in a specified time
- period.
-
-
-
- The time period, expressed in seconds.
-
-
-
- Connections that exceed the specified rate are dropped.
-
- For example,to use a recent set name of SSHA, and to limiting SSH to 3 per minute, use this
- entry in /etc/shorewall/rules:
-
- #ACTION SOURCE DEST PROTO DEST PORT(S)
-Limit:none:SSHA,3,60 net $FW tcp 22
-
- If you want dropped connections to be logged at the info level, use
- this rule instead:
-
- #ACTION SOURCE DEST PROTO DEST PORT(S)
-Limit:info:SSHA,3,60 net $FW tcp 22
-
- To summarize, you pass four pieces of information to the Limit
- action:
-
-
-
- The log level. If you don't want to log, specify "none".
-
-
-
- The name of the recent set that you want to use ("SSHA" in this
- example).
-
-
-
- The maximum number of connections to accept (3 in this
- example).
-
-
-
- The number of seconds over which you are willing to accept that
- many connections (60 in this example).
-
-
-
-
- How Limit is Implemented
-
- For those who are curious, the Limit action is implemented in
- Shorewall 3.0 and Shorewall 3.2 as follows:
-
-
-
- The file
- /usr/share/shorewall/action.Limit is
- empty.
-
-
-
- The file /usr/share/shorewall/Limit is as
- follows:
-
- set -- $(separate_list $TAG)
-
-[ $# -eq 3 ] || fatal_error "Rule must include <set name>,<max connections>,<interval> as the log tag"
-
-run_iptables -A $CHAIN -m recent --name $1 --set
-
-if [ -n "$LEVEL" ]; then
- run_iptables -N $CHAIN%
- log_rule_limit $LEVEL $CHAIN% $1 DROP "" "" -A
- run_iptables -A $CHAIN% -j DROP
- run_iptables -A $CHAIN -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $CHAIN%
-else
- run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP
-fi
-
-run_iptables -A $CHAIN -j ACCEPT
-
-
-
- In Shorewall 3.3, Limit is made into a built-in action; basically
- that means that the above code now lives inside of Shorewall rather than
- in a separate file.
-
- For completeness, here's the above
- /usr/share/shorewall/Limit for use with
- Shorewall-perl:
-
- my @tag = split /,/, $tag;
-
-fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
- unless @tag == 3;
-
-my $set = $tag[0];
-
-for ( @tag[1,2] ) {
- fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
-}
-
-my $count = $tag[1] + 1;
-
-add_rule $chainref, "-m recent --name $set --set";
-
-if ( $level ) {
- my $xchainref = new_chain 'filter' , "$chainref->{name}%";
- log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
- add_rule $xchainref, '-j DROP';
- add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
-} else {
- add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
-}
-
-add_rule $chainref, '-j ACCEPT';
-
-1;
-
+ This information has been moved to the Actions article.