From: Peter Müller <peter.mueller@ipfire.org>
Date: Mon, 29 Jul 2019 20:00:00 +0000 (+0000)
Subject: firewall: raise log rate limit to 10 packets per second
X-Git-Tag: v2.23-core136~7^2~65
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8ee3a135527707f60baa948e35b78187787bc9f7;p=ipfire-2.x.git

firewall: raise log rate limit to 10 packets per second

Previous setting was to log 10 packets per minute for each
event logging is turned on. This made debugging much harder,
as the limit was rather strict and chances of dropping a
packet without logging it were good.

This patch changes the log rate limit to 10 packets per
second per event, to avoid DoS attacks against the log file.
I plan to drop log rate limit entirely in future changes,
if a better solution for this attack vector is available.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index b3483a7440..ec396c708c 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -34,20 +34,20 @@ iptables_init() {
 
 	# Empty LOG_DROP and LOG_REJECT chains
 	iptables -N LOG_DROP
-	iptables -A LOG_DROP   -m limit --limit 10/minute -j LOG
+	iptables -A LOG_DROP   -m limit --limit 10/second -j LOG
 	iptables -A LOG_DROP   -j DROP
 	iptables -N LOG_REJECT
-	iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG
+	iptables -A LOG_REJECT -m limit --limit 10/second -j LOG
 	iptables -A LOG_REJECT -j REJECT
 
 	# This chain will log, then DROPs packets with certain bad combinations
 	# of flags might indicate a port-scan attempt (xmas, null, etc)
 	iptables -N PSCAN
 	if [ "$DROPPORTSCAN" == "on" ]; then
-		iptables -A PSCAN -p tcp  -m limit --limit 10/minute -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan"
-		iptables -A PSCAN -p udp  -m limit --limit 10/minute -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan"
-		iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan"
-		iptables -A PSCAN -f      -m limit --limit 10/minute -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan"
+		iptables -A PSCAN -p tcp  -m limit --limit 10/second -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan"
+		iptables -A PSCAN -p udp  -m limit --limit 10/second -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan"
+		iptables -A PSCAN -p icmp -m limit --limit 10/second -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan"
+		iptables -A PSCAN -f      -m limit --limit 10/second -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan"
 	fi
 	iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan"
 
@@ -55,7 +55,7 @@ iptables_init() {
 	# that's not covered above, may just be a broken windows machine
 	iptables -N NEWNOTSYN
 	if [ "$DROPNEWNOTSYN" == "on" ]; then
-		iptables -A NEWNOTSYN  -m limit --limit 10/minute -j LOG  --log-prefix "DROP_NEWNOTSYN "
+		iptables -A NEWNOTSYN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_NEWNOTSYN "
 	fi
 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"