ericdes wrote: > I have this rule in place: > -------------------------------------- > DNAT net dmz:10.0.0.7 tcp 80,443 > - 94.23.242.44 > -------------------------------------- > > When I change this policy: > -------------------------------------- > net dmz DROP > -------------------------------------- > > to: > -------------------------------------- > net dmz DROP info 8/sec:30 > -------------------------------------- > > I see some drops in the logs, which results in some timeouts. Although > most of the traffic from 94.23.242.44 is well redirected to 10.0.0.7. > -------------------------------------- > Jan 20 19:24:29 ks309069 kernel: Shorewall:net2dmz:DROP:IN=eth0 > OUT=vmbr0 SRC=74.127.214.2 DST=10.0.0.7 LEN=52 TOS=0x00 PREC=0x00 > TTL=244 ID=7235 DF PROTO=TCP SPT=49967 DPT=80 WINDOW=32768 RES=0x00 SYN > URGP=0 > Jan 20 19:24:40 ks309069 kernel: Shorewall:net2dmz:DROP:IN=eth0 > OUT=vmbr0 SRC=90.26.201.69 DST=10.0.0.7 LEN=48 TOS=0x00 PREC=0x00 > TTL=115 ID=18626 DF PROTO=TCP SPT=61468 DPT=80 WINDOW=8192 RES=0x00 SYN > URGP=0 > -------------------------------------- > > Isn't the rule sufficient to forward all http/https requests to > 94.23.242.44 to be redirected to the virtual server at 10.0.0.7?
The policy RATE/LIMIT applies to ALL traffic from net->dmz, including the redirected traffic; when you limit that traffic, some of it may get dropped. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
