From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Proposal: Drop iptables logging rate-limit
Date: Mon, 15 Jul 2019 11:29:23 +0100 [thread overview]
Message-ID: <AE9CB377-65A9-4934-905B-0A5A781D8E6C@ipfire.org> (raw)
In-Reply-To: <e86a3cba-8367-04ed-f9d3-1a0ca58515e9@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2399 bytes --]
Hi,
> On 14 Jul 2019, at 15:56, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Hello *,
>
> currently, the iptables configuration used in IPFire 2.x does not
> log _every_ packet if logging is enabled for whatever reason, but
> enforces a rate-limit:
>
>> iptables -A LOG_DROP -m limit --limit 10/minute -j LOG
> (snip taken from /etc/init.d/firewall)
>
> For several reasons, I consider this a bad idea. (Forgive me for
> bringing up firewall issues in IPFire 2.x again. :-) )
IPFire 2 is still being actively maintained, so feel free to do so.
> First, this rate-limit is never mentioned in the firewall WebUI
> or our documentation, thus being unintentional for most users
> including me.
>
> Second, it makes debugging very hard - I recently spent several
> unpleasant days trying to fix a VoIP related network problem,
> until I got not every packet dropped by IPFire was actually logged.
> Especially for corner cases or non-deterministic issues, this
> behaviour makes this more difficult.
>
> Third, it is not compliant. Especially when it comes to post
> mortem forensics, firewall logs are important. If you cannot
> trust them since there is no way of telling whether a packet
> was dropped and not logged, or never seen by the firewall machine,
> its best to stop logging anything at all.
>
> I therefore propose to drop iptables logging rate-limit in our
> firewall configurations (which goes for IPFire 3.x as well).
> Since my systems to not run on problematic hardware (ARM SoCs
> with SD cards, crappy flash storage, etc.), I have no idea if
> this will cause issues on some systems/platforms.
>
> @All: Thoughts, please. Is anyone aware of potential trouble?
I generally agree with your points. I am not sure where the number is even coming from. We have carried this over from the beginning of IPFire without thinking about it again.
The motivation why this is there is probably that logging is an expensive operation and that you can use this as a DoS vector and fill up somebody’s hard drive just by sending packets. Logs will grow a lot faster after making this change and maybe we want to have a backstop for this?
-Michael
> If not, I will send in a patch within this week.
>
> Thanks, and best regards,
> Peter Müller
> --
> The road to Hades is easy to travel.
> -- Bion of Borysthenes
next prev parent reply other threads:[~2019-07-15 10:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-14 14:56 Peter Müller
2019-07-15 10:29 ` Michael Tremer [this message]
2019-07-18 18:23 ` Tim FitzGeorge
2019-07-29 20:00 ` [PATCH] firewall: raise log rate limit to 10 packets per second Peter Müller
2019-07-29 20:40 ` Horace Michael
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AE9CB377-65A9-4934-905B-0A5A781D8E6C@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox