Pieter Donche wrote:
- I hope I can protect all 'loc' and 'serv' systems through changes in the shorewall rules? (I mean, not just protecting only the firewall itself)
Yes.
I understand Limiting Per-IP Connection rate can be done via the 'Limit' Action (http://shorewall.net/Actions.html).Some of the rules in my /etc/sharewall/rules are: ACCEPT loc $FW tcp 22 ACCEPT serv $FW tcp 22 ACCEPT net serv tcp 22 ACCEPT net $SSH_LOC tcp 22 (SSH_LOC is a parameter defined in my /etc/shorewall/params file, listingall the IP adresses of machines behind my firewall which have sshd running and want their machine to be accessible via SSH)- Is is sufficient to just add (e.g. for the 3rd line) Limit:info:SSHA,3,60 net serv tcp 22and similar lines for the other cases (and no need for separate files with specifications to create in e.g. /etc/shorewall)and restart shorewall ?
You should replace the third line with that new rule. You probably also want to replace the fourth rule as well.
- I do not understand well what the 'set name' means (the SSHA) ...
It is the name of a set of counters and is only meaningful if you have more than one Limit rule. Limit rules that share the same set name share the same set of counters.
- In my /etc/shorewall nor in my /etc/share/shorewall directory I find no action.Limit or Limit file. Is this normal?
Yes. Limit has been a built-in action for many releases now.
- In the log I hope there will be only entries when there occur morethan 3 SSH connections from a same IP in a 60 seconds timeframe, and not for every SSH connection, is that right?
Yes.
- In case the seeker of access is a normal person, just not very well remembering his password, will he get some warning that he will have to wait for about a minute after 3 tries?
No. This is implemented at the IP level. If the limit is exceeded, the firewall will just ignore that person's attempts to connect.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
