Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 25 Sep 2019, at 16:06, peter.mueller(a)ipfire.org wrote:
> 
> Having raised the overall log rate limit to 10 packet per second
> in Core Update 136, this did not affected rules generated by the
> user. In order to stay consistent, this patch also raises log rate
> limit for these.
> 
> In order to avoid side effects on firewalls with slow disks, it
> was probably better touch these categories separately, so testing
> users won't be DoSsed instantly. :-)

Well, I am not sure if that was a good strategy in the end.

> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/firewall/firewall-policy           | 16 ++++++++--------
> config/firewall/rules.pl                  |  6 +++---
> config/rootfiles/core/137/filelists/files |  2 ++
> 3 files changed, 13 insertions(+), 11 deletions(-)
> 
> diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
> index 078c3c515..21165e933 100755
> --- a/config/firewall/firewall-policy
> +++ b/config/firewall/firewall-policy
> @@ -2,7 +2,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2013 Alexander Marx <amarx(a)ipfire.org>                        #
> +# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -100,13 +100,13 @@ esac
> case "${FWPOLICY2}" in
> 	REJECT)
> 		if [ "${DROPINPUT}" = "on" ]; then
> -			iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT "
> +			iptables -A POLICYIN -m limit --limit 10/second -j LOG --log-prefix "REJECT_INPUT "
> 		fi
> 		iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
> 		;;
> 	*) # DROP
> 		if [ "${DROPINPUT}" = "on" ]; then
> -			iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
> +			iptables -A POLICYIN -m limit --limit 10/second -j LOG --log-prefix "DROP_INPUT "
> 		fi
> 		iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
> 		;;
> @@ -118,13 +118,13 @@ case "${POLICY}" in
> 		case "${FWPOLICY}" in
> 			REJECT)
> 				if [ "${DROPFORWARD}" = "on" ]; then
> -					iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD "
> +					iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "REJECT_FORWARD "
> 				fi
> 				iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
> 				;;
> 			*) # DROP
> 				if [ "${DROPFORWARD}" = "on" ]; then
> -					iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
> +					iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
> 				fi
> 				iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
> 				;;
> @@ -160,7 +160,7 @@ case "${POLICY}" in
> 		fi
> 
> 		if [ "${DROPFORWARD}" = "on" ]; then
> -			iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
> +			iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
> 		fi
> 		iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
> 		;;
> @@ -172,13 +172,13 @@ case "${POLICY1}" in
> 		case "${FWPOLICY1}" in
> 			REJECT)
> 				if [ "${DROPOUTGOING}" = "on" ]; then
> -					iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT "
> +					iptables -A POLICYOUT -m limit --limit 10/second -j LOG --log-prefix "REJECT_OUTPUT "
> 				fi
> 				iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
> 				;;
> 			*) # DROP
> 				if [ "${DROPOUTGOING}" == "on" ]; then
> -					iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
> +					iptables -A POLICYOUT -m limit --limit 10/second -j LOG --log-prefix "DROP_OUTPUT "
> 				fi
> 				iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
> 				;;
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 78e3e1e91..86db47367 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -2,7 +2,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2013 Alexander Marx <amarx(a)ipfire.org>                        #
> +# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -804,8 +804,8 @@ sub make_log_limit_options {
> 	# Maybe we should get this from the configuration.
> 	my $limit = 10;
> 
> -	# We limit log messages to $limit messages per minute.
> -	push(@options, ("--limit", "$limit/min"));
> +	# We limit log messages to $limit messages per second.
> +	push(@options, ("--limit", "$limit/second"));
> 
> 	# And we allow bursts of 2x $limit.
> 	push(@options, ("--limit-burst", $limit * 2));
> diff --git a/config/rootfiles/core/137/filelists/files b/config/rootfiles/core/137/filelists/files
> index ce4e51768..04b6c42ff 100644
> --- a/config/rootfiles/core/137/filelists/files
> +++ b/config/rootfiles/core/137/filelists/files
> @@ -1,4 +1,6 @@
> etc/system-release
> etc/issue
> srv/web/ipfire/cgi-bin/credits.cgi
> +usr/lib/firewall/rules.pl
> +usr/sbin/firewall-policy
> var/ipfire/langs
> -- 
> 2.16.4