From f6234d7aea2adfde213b1ea0d27a856fecd127e3 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 19 Feb 2009 15:36:19 +0000 Subject: [PATCH] Finish move of 'Limit' documentation to the Actions Article; Correct Macro doc git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9454 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/Documentation_Index.xml | 4 +- docs/Macros.xml | 13 ++-- docs/PortKnocking.xml | 145 +---------------------------------- 3 files changed, 13 insertions(+), 149 deletions(-) diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index 2b5690f7d..a88e69a37 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -18,7 +18,7 @@ - 2001-2008 + 2001-2009 Thomas M. Eastep @@ -57,7 +57,7 @@ 6to4 Tunnels - Limiting per-IPaddress + Limiting per-IPaddress Connection Rate Shorewall diff --git a/docs/Macros.xml b/docs/Macros.xml index 79e87c3b6..bd3bde270 100644 --- a/docs/Macros.xml +++ b/docs/Macros.xml @@ -133,11 +133,11 @@ ACCEPT loc fw udp 1024: 137 ACCEPT loc fw tcp 135,139,445 - Shorewall versions 4.2.0 and later: - When invoking a parameterized macro, you follow the name of the macro with - the action that you want to substitute for PARAM enclosed in parentheses. - The older syntax described above is still supported but is - deprecated. + Shorewall-perl versions 4.2.0 and + later: When invoking a parameterized macro, you follow the name + of the macro with the action that you want to substitute for PARAM + enclosed in parentheses. The older syntax described above is still + supported but is deprecated. Example: @@ -308,7 +308,8 @@ ACCEPT fw loc tcp 135,139,445 'Drop' macros that are equivalent to the 'Reject' and 'Drop' actions. - Default Macros are not supported by Shorewall-perl. + Default Macros are not supported by + Shorewall-perl.
diff --git a/docs/PortKnocking.xml b/docs/PortKnocking.xml index 077022cae..809cc0d4b 100644 --- a/docs/PortKnocking.xml +++ b/docs/PortKnocking.xml @@ -22,6 +22,8 @@ 2006 + 2009 + Thomas M. Eastep @@ -173,146 +175,7 @@ SSHKnock net loc:192.168.1.5 tcp 22 -
Limiting Per-IP Connection Rate - - Debian users. This feature is broken in the Debian version 3.0.7 - of Shorewall (and possibly in other versions). The file - /usr/share/shorewall/Limit was inadvertently - dropped from the .deb. That file may be obtained from Shorewall - SVN and installed manually. - - - Beginning with Shorewall 3.0.4, Shorewall has a 'Limit' action. Limit is invoked with a comma-separated - list in place of a logging tag. The list has three elements: - - - - The name of a 'recent' set; you select the set name which must - conform to the rules for a valid chain name. Different rules that - specify the same set name will use the same set of counters. - - - - The number of connections permitted in a specified time - period. - - - - The time period, expressed in seconds. - - - - Connections that exceed the specified rate are dropped. - - For example,to use a recent set name of SSHA, and to limiting SSH to 3 per minute, use this - entry in /etc/shorewall/rules: - - #ACTION SOURCE DEST PROTO DEST PORT(S) -Limit:none:SSHA,3,60 net $FW tcp 22 - - If you want dropped connections to be logged at the info level, use - this rule instead: - - #ACTION SOURCE DEST PROTO DEST PORT(S) -Limit:info:SSHA,3,60 net $FW tcp 22 - - To summarize, you pass four pieces of information to the Limit - action: - - - - The log level. If you don't want to log, specify "none". - - - - The name of the recent set that you want to use ("SSHA" in this - example). - - - - The maximum number of connections to accept (3 in this - example). - - - - The number of seconds over which you are willing to accept that - many connections (60 in this example). - - - -
- How Limit is Implemented - - For those who are curious, the Limit action is implemented in - Shorewall 3.0 and Shorewall 3.2 as follows: - - - - The file - /usr/share/shorewall/action.Limit is - empty. - - - - The file /usr/share/shorewall/Limit is as - follows: - - set -- $(separate_list $TAG) - -[ $# -eq 3 ] || fatal_error "Rule must include <set name>,<max connections>,<interval> as the log tag" - -run_iptables -A $CHAIN -m recent --name $1 --set - -if [ -n "$LEVEL" ]; then - run_iptables -N $CHAIN% - log_rule_limit $LEVEL $CHAIN% $1 DROP "" "" -A - run_iptables -A $CHAIN% -j DROP - run_iptables -A $CHAIN -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $CHAIN% -else - run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP -fi - -run_iptables -A $CHAIN -j ACCEPT - - - - In Shorewall 3.3, Limit is made into a built-in action; basically - that means that the above code now lives inside of Shorewall rather than - in a separate file. - - For completeness, here's the above - /usr/share/shorewall/Limit for use with - Shorewall-perl: - - my @tag = split /,/, $tag; - -fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' - unless @tag == 3; - -my $set = $tag[0]; - -for ( @tag[1,2] ) { - fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/ -} - -my $count = $tag[1] + 1; - -add_rule $chainref, "-m recent --name $set --set"; - -if ( $level ) { - my $xchainref = new_chain 'filter' , "$chainref->{name}%"; - log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', ''; - add_rule $xchainref, '-j DROP'; - add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}"; -} else { - add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP"; -} - -add_rule $chainref, '-j ACCEPT'; - -1; -
+ This information has been moved to the Actions article.