Re: [PATCH] firewall: raise log rate limit for user generated rules, too

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] firewall: raise log rate limit for user generated rules, too
Date: Wed, 25 Sep 2019 16:24:33 +0100	[thread overview]
Message-ID: <984ADB55-329D-419F-B216-44BF705D2ACE@ipfire.org> (raw)
In-Reply-To: <a6a8fb72-7986-363d-a2ba-7a32d94b9531@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 6213 bytes --]

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 25 Sep 2019, at 16:06, peter.mueller(a)ipfire.org wrote:
> 
> Having raised the overall log rate limit to 10 packet per second
> in Core Update 136, this did not affected rules generated by the
> user. In order to stay consistent, this patch also raises log rate
> limit for these.
> 
> In order to avoid side effects on firewalls with slow disks, it
> was probably better touch these categories separately, so testing
> users won't be DoSsed instantly. :-)

Well, I am not sure if that was a good strategy in the end.

> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/firewall/firewall-policy           | 16 ++++++++--------
> config/firewall/rules.pl                  |  6 +++---
> config/rootfiles/core/137/filelists/files |  2 ++
> 3 files changed, 13 insertions(+), 11 deletions(-)
> 
> diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
> index 078c3c515..21165e933 100755
> --- a/config/firewall/firewall-policy
> +++ b/config/firewall/firewall-policy
> @@ -2,7 +2,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2013 Alexander Marx <amarx(a)ipfire.org>                        #
> +# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -100,13 +100,13 @@ esac
> case "${FWPOLICY2}" in
> 	REJECT)
> 		if [ "${DROPINPUT}" = "on" ]; then
> -			iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT "
> +			iptables -A POLICYIN -m limit --limit 10/second -j LOG --log-prefix "REJECT_INPUT "
> 		fi
> 		iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
> 		;;
> 	*) # DROP
> 		if [ "${DROPINPUT}" = "on" ]; then
> -			iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
> +			iptables -A POLICYIN -m limit --limit 10/second -j LOG --log-prefix "DROP_INPUT "
> 		fi
> 		iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
> 		;;
> @@ -118,13 +118,13 @@ case "${POLICY}" in
> 		case "${FWPOLICY}" in
> 			REJECT)
> 				if [ "${DROPFORWARD}" = "on" ]; then
> -					iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD "
> +					iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "REJECT_FORWARD "
> 				fi
> 				iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
> 				;;
> 			*) # DROP
> 				if [ "${DROPFORWARD}" = "on" ]; then
> -					iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
> +					iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
> 				fi
> 				iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
> 				;;
> @@ -160,7 +160,7 @@ case "${POLICY}" in
> 		fi
> 
> 		if [ "${DROPFORWARD}" = "on" ]; then
> -			iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
> +			iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
> 		fi
> 		iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
> 		;;
> @@ -172,13 +172,13 @@ case "${POLICY1}" in
> 		case "${FWPOLICY1}" in
> 			REJECT)
> 				if [ "${DROPOUTGOING}" = "on" ]; then
> -					iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT "
> +					iptables -A POLICYOUT -m limit --limit 10/second -j LOG --log-prefix "REJECT_OUTPUT "
> 				fi
> 				iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
> 				;;
> 			*) # DROP
> 				if [ "${DROPOUTGOING}" == "on" ]; then
> -					iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
> +					iptables -A POLICYOUT -m limit --limit 10/second -j LOG --log-prefix "DROP_OUTPUT "
> 				fi
> 				iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
> 				;;
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 78e3e1e91..86db47367 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -2,7 +2,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2013 Alexander Marx <amarx(a)ipfire.org>                        #
> +# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -804,8 +804,8 @@ sub make_log_limit_options {
> 	# Maybe we should get this from the configuration.
> 	my $limit = 10;
> 
> -	# We limit log messages to $limit messages per minute.
> -	push(@options, ("--limit", "$limit/min"));
> +	# We limit log messages to $limit messages per second.
> +	push(@options, ("--limit", "$limit/second"));
> 
> 	# And we allow bursts of 2x $limit.
> 	push(@options, ("--limit-burst", $limit * 2));
> diff --git a/config/rootfiles/core/137/filelists/files b/config/rootfiles/core/137/filelists/files
> index ce4e51768..04b6c42ff 100644
> --- a/config/rootfiles/core/137/filelists/files
> +++ b/config/rootfiles/core/137/filelists/files
> @@ -1,4 +1,6 @@
> etc/system-release
> etc/issue
> srv/web/ipfire/cgi-bin/credits.cgi
> +usr/lib/firewall/rules.pl
> +usr/sbin/firewall-policy
> var/ipfire/langs
> -- 
> 2.16.4

     prev parent reply	other threads:[~2019-09-25 15:24 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-25 15:06 peter.mueller
2019-09-25 15:24 ` Michael Tremer [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=984ADB55-329D-419F-B216-44BF705D2ACE@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox