&General::readhasharray($configgrp, \%customgrp);
&General::get_aliases(\%aliases);
+my @log_limit_options = &make_log_limit_options();
+
# MAIN
&main();
# Collect all destinations.
my @destinations = &get_addresses($hash, $key, "tgt");
- my $time_constraints = "";
-
# Check if logging should be enabled.
my $LOG = ($$hash{$key}[17] eq 'ON');
# Add time constraint options.
push(@options, @time_options);
+ my $firewall_is_in_source_subnet = 0;
+ if ($source) {
+ $firewall_is_in_source_subnet = &firewall_is_in_subnet($source);
+ }
+
# Process NAT rules.
if ($NAT) {
my $nat_address = &get_nat_address($$hash{$key}[29]);
}
if ($LOG) {
- run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j LOG --log-prefix 'DNAT'");
+ run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_limit_options -j LOG --log-prefix 'DNAT '");
}
run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j DNAT --to-destination $dnat_address");
push(@nat_options, @destination_options);
if ($LOG) {
- run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j LOG --log-prefix 'SNAT'");
+ run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
}
run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address");
}
}
push(@options, @source_options);
+
+ if ($firewall_is_in_source_subnet && ($fwdfwsettings{"POLICY"} eq "MODE1") && ($chain eq $CHAIN_FORWARD)) {
+ if ($LOG && !$NAT) {
+ run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
+ }
+ run("$IPTABLES -A $CHAIN_INPUT @options -j $target");
+ }
+
push(@options, @destination_options);
# Insert firewall rule.
if ($LOG && !$NAT) {
- run("$IPTABLES -A $chain @options -j LOG");
+ run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '");
}
run("$IPTABLES -A $chain @options -j $target");
}
run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options");
}
}
+
+sub make_log_limit_options {
+ my @options = ("-m", "limit");
+
+ # Maybe we should get this from the configuration.
+ my $limit = 10;
+
+ # We limit log messages to $limit messages per minute.
+ push(@options, ("--limit", "$limit/min"));
+
+ # And we allow bursts of 2x $limit.
+ push(@options, ("--limit-burst", $limit * 2));
+
+ return @options;
+}
+
+sub firewall_is_in_subnet {
+ my $subnet = shift;
+
+ my ($net_address, $net_mask) = split("/", $subnet);
+ if (!$net_mask) {
+ return 0;
+ }
+
+ # ORANGE is missing here, because nothing may ever access
+ # the firewall from this network.
+ foreach my $zone ("GREEN", "BLUE") {
+ next unless (exists $defaultNetworks{$zone . "_ADDRESS"});
+
+ my $zone_address = $defaultNetworks{$zone . "_ADDRESS"};
+
+ if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
projects / people / teissler / ipfire-2.x.git / blobdiff