]> git.ipfire.org Git - ipfire-2.x.git/commitdiff
projects / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e60dde5)
firewall: raise log rate limit for user generated rules, too
authorpeter.mueller@ipfire.org <peter.mueller@ipfire.org>
Wed, 25 Sep 2019 15:06:00 +0000 (15:06 +0000)
committerArne Fitzenreiter <arne_f@ipfire.org>
Tue, 8 Oct 2019 18:30:31 +0000 (18:30 +0000)
Having raised the overall log rate limit to 10 packet per second
in Core Update 136, this did not affected rules generated by the
user. In order to stay consistent, this patch also raises log rate
limit for these.

In order to avoid side effects on firewalls with slow disks, it
was probably better touch these categories separately, so testing
users won't be DoSsed instantly. :-)

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
config/firewall/firewall-policy patch | blob | blame | history
config/firewall/rules.pl patch | blob | blame | history
config/rootfiles/core/137/filelists/files patch | blob | blame | history

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 078c3c515c31f1f385a2159f83fb5c6c52f5e89f..21165e9338dc9693a0b2220d9b81dc852d342d59 100755 (executable)
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
+# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -100,13 +100,13 @@ esac
 case "${FWPOLICY2}" in
        REJECT)
                if [ "${DROPINPUT}" = "on" ]; then
-                       iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT "
+                       iptables -A POLICYIN -m limit --limit 10/second -j LOG --log-prefix "REJECT_INPUT "
                fi
                iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
                ;;
        *) # DROP
                if [ "${DROPINPUT}" = "on" ]; then
-                       iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+                       iptables -A POLICYIN -m limit --limit 10/second -j LOG --log-prefix "DROP_INPUT "
                fi
                iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
                ;;
@@ -118,13 +118,13 @@ case "${POLICY}" in
                case "${FWPOLICY}" in
                        REJECT)
                                if [ "${DROPFORWARD}" = "on" ]; then
-                                       iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD "
+                                       iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "REJECT_FORWARD "
                                fi
                                iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
                                ;;
                        *) # DROP
                                if [ "${DROPFORWARD}" = "on" ]; then
-                                       iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+                                       iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
                                fi
                                iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
                                ;;
@@ -160,7 +160,7 @@ case "${POLICY}" in
                fi
 
                if [ "${DROPFORWARD}" = "on" ]; then
-                       iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+                       iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
                fi
                iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
                ;;
@@ -172,13 +172,13 @@ case "${POLICY1}" in
                case "${FWPOLICY1}" in
                        REJECT)
                                if [ "${DROPOUTGOING}" = "on" ]; then
-                                       iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT "
+                                       iptables -A POLICYOUT -m limit --limit 10/second -j LOG --log-prefix "REJECT_OUTPUT "
                                fi
                                iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
                                ;;
                        *) # DROP
                                if [ "${DROPOUTGOING}" == "on" ]; then
-                                       iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
+                                       iptables -A POLICYOUT -m limit --limit 10/second -j LOG --log-prefix "DROP_OUTPUT "
                                fi
                                iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
                                ;;
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 78e3e1e9175db7704c797c14bf2a8793da397e96..86db47367a31ee4823b81650b1a101a4caded5ed 100644 (file)
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
+# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -804,8 +804,8 @@ sub make_log_limit_options {
        # Maybe we should get this from the configuration.
        my $limit = 10;
 
-       # We limit log messages to $limit messages per minute.
-       push(@options, ("--limit", "$limit/min"));
+       # We limit log messages to $limit messages per second.
+       push(@options, ("--limit", "$limit/second"));
 
        # And we allow bursts of 2x $limit.
        push(@options, ("--limit-burst", $limit * 2));
diff --git a/config/rootfiles/core/137/filelists/files b/config/rootfiles/core/137/filelists/files
index f1e7487a099a57ed4fd0e7f018ee9adfcbedc400..3a2a10a20e3dca378b9adc4060b89833a1fbdaf0 100644 (file)
--- a/config/rootfiles/core/137/filelists/files
+++ b/config/rootfiles/core/137/filelists/files
@@ -1,6 +1,8 @@
 etc/system-release
 etc/issue
 srv/web/ipfire/cgi-bin/credits.cgi
+usr/lib/firewall/rules.pl
+usr/sbin/firewall-policy
 var/ipfire/langs
 etc/logrotate.conf
 srv/web/ipfire/cgi-bin/ovpnmain.cgi
IPFire 2.x development tree