forked from extern/shorewall_code
Finish move of 'Limit' documentation to the Actions Article; Correct Macro doc
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9454 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
5bac721af2
commit
f6234d7aea
@ -18,7 +18,7 @@
|
||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2008</year>
|
||||
<year>2001-2009</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -57,7 +57,7 @@
|
||||
<row>
|
||||
<entry><ulink url="6to4.htm">6to4 Tunnels</ulink></entry>
|
||||
|
||||
<entry><ulink url="PortKnocking.html#Limit">Limiting per-IPaddress
|
||||
<entry><ulink url="Actions.html#Limit">Limiting per-IPaddress
|
||||
Connection Rate</ulink></entry>
|
||||
|
||||
<entry><ulink url="CompiledPrograms.html#Lite">Shorewall
|
||||
|
@ -133,11 +133,11 @@ ACCEPT loc fw udp 1024: 137
|
||||
ACCEPT loc fw tcp 135,139,445</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para><emphasis role="bold">Shorewall versions 4.2.0 and later:</emphasis>
|
||||
When invoking a parameterized macro, you follow the name of the macro with
|
||||
the action that you want to substitute for PARAM enclosed in parentheses.
|
||||
The older syntax described above is still supported but is
|
||||
deprecated.</para>
|
||||
<para><emphasis role="bold">Shorewall-perl versions 4.2.0 and
|
||||
later:</emphasis> When invoking a parameterized macro, you follow the name
|
||||
of the macro with the action that you want to substitute for PARAM
|
||||
enclosed in parentheses. The older syntax described above is still
|
||||
supported but is deprecated.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
@ -308,7 +308,8 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
|
||||
'Drop' macros that are equivalent to the 'Reject' and 'Drop'
|
||||
actions.</para>
|
||||
|
||||
<para>Default Macros are not supported by Shorewall-perl.</para>
|
||||
<para><emphasis>Default Macros are not supported by
|
||||
Shorewall-perl.</emphasis></para>
|
||||
</section>
|
||||
|
||||
<section id="Defining">
|
||||
|
@ -22,6 +22,8 @@
|
||||
|
||||
<year>2006</year>
|
||||
|
||||
<year>2009</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@ -173,146 +175,7 @@ SSHKnock net loc:192.168.1.5 tcp 22 -
|
||||
<section id="Limit">
|
||||
<title>Limiting Per-IP Connection Rate</title>
|
||||
|
||||
<important>
|
||||
<para>Debian users. This feature is broken in the Debian version 3.0.7
|
||||
of Shorewall (and possibly in other versions). The file
|
||||
<filename>/usr/share/shorewall/Limit</filename> was inadvertently
|
||||
dropped from the .deb. That file may be obtained from <ulink
|
||||
url="http://shorewall.svn.sourceforge.net/viewvc/*checkout*/shorewall/tags/3.0.7/Shorewall/Limit?revision=3888">Shorewall
|
||||
SVN</ulink> and installed manually.</para>
|
||||
</important>
|
||||
|
||||
<para>Beginning with Shorewall 3.0.4, Shorewall has a 'Limit' <ulink
|
||||
url="Actions.html">action</ulink>. Limit is invoked with a comma-separated
|
||||
list in place of a logging tag. The list has three elements:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>The name of a 'recent' set; you select the set name which must
|
||||
conform to the rules for a valid chain name. Different rules that
|
||||
specify the same set name will use the same set of counters.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The number of connections permitted in a specified time
|
||||
period.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The time period, expressed in seconds.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Connections that exceed the specified rate are dropped.</para>
|
||||
|
||||
<para>For example,to use a recent set name of <emphasis
|
||||
role="bold">SSHA</emphasis>, and to limiting SSH to 3 per minute, use this
|
||||
entry in <filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Limit:none:SSHA,3,60 net $FW tcp 22</programlisting>
|
||||
|
||||
<para>If you want dropped connections to be logged at the info level, use
|
||||
this rule instead:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Limit:info:SSHA,3,60 net $FW tcp 22</programlisting>
|
||||
|
||||
<para>To summarize, you pass four pieces of information to the Limit
|
||||
action:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The log level. If you don't want to log, specify "none".</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The name of the recent set that you want to use ("SSHA" in this
|
||||
example).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The maximum number of connections to accept (3 in this
|
||||
example).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The number of seconds over which you are willing to accept that
|
||||
many connections (60 in this example).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<section id="LimitImp">
|
||||
<title>How Limit is Implemented</title>
|
||||
|
||||
<para>For those who are curious, the Limit action is implemented in
|
||||
Shorewall 3.0 and Shorewall 3.2 as follows:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The file
|
||||
<filename>/usr/share/shorewall/action</filename>.Limit is
|
||||
empty.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The file <filename>/usr/share/shorewall/Limit</filename> is as
|
||||
follows:</para>
|
||||
|
||||
<programlisting>set -- $(separate_list $TAG)
|
||||
|
||||
[ $# -eq 3 ] || fatal_error "Rule must include <set name>,<max connections>,<interval> as the log tag"
|
||||
|
||||
run_iptables -A $CHAIN -m recent --name $1 --set
|
||||
|
||||
if [ -n "$LEVEL" ]; then
|
||||
run_iptables -N $CHAIN%
|
||||
log_rule_limit $LEVEL $CHAIN% $1 DROP "" "" -A
|
||||
run_iptables -A $CHAIN% -j DROP
|
||||
run_iptables -A $CHAIN -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $CHAIN%
|
||||
else
|
||||
run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP
|
||||
fi
|
||||
|
||||
run_iptables -A $CHAIN -j ACCEPT</programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>In Shorewall 3.3, Limit is made into a built-in action; basically
|
||||
that means that the above code now lives inside of Shorewall rather than
|
||||
in a separate file.</para>
|
||||
|
||||
<para>For completeness, here's the above
|
||||
<filename>/usr/share/shorewall/Limit</filename> for use with
|
||||
Shorewall-perl:</para>
|
||||
|
||||
<programlisting>my @tag = split /,/, $tag;
|
||||
|
||||
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
|
||||
unless @tag == 3;
|
||||
|
||||
my $set = $tag[0];
|
||||
|
||||
for ( @tag[1,2] ) {
|
||||
fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
|
||||
}
|
||||
|
||||
my $count = $tag[1] + 1;
|
||||
|
||||
add_rule $chainref, "-m recent --name $set --set";
|
||||
|
||||
if ( $level ) {
|
||||
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
||||
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
|
||||
add_rule $xchainref, '-j DROP';
|
||||
add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
|
||||
} else {
|
||||
add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
|
||||
}
|
||||
|
||||
add_rule $chainref, '-j ACCEPT';
|
||||
|
||||
1; </programlisting>
|
||||
</section>
|
||||
<para>This information has been moved to the<ulink
|
||||
url="Actions.html#Limit"> Actions article</ulink>.</para>
|
||||
</section>
|
||||
</article>
|
||||
|
Loading…
Reference in New Issue
Block a user