Re: [Shorewall-users] Limits for logging DROP?

Sun, 14 Feb 2010 12:13:13 -0800 

Tom:

On 2/14/2010 12:19 PM, Tom Eastep wrote:

>> I've looked through the help files and examples, but they seem to apply
>> to ACCEPT rules, not DROP rules. Is there a way to extend log limiting
>> to DROP also?
>
> /etc/shorewall/actions:
>
> LogLimit
>
> /etc/shorewall/action.LogLimit:
>
> #TARGET               SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
> #                                     PORT    PORT(S) LIMIT   GROUP
> LOG:info      -       -       -       -       -       1/hour:1
> DROP
>
> /etc/shorewall/rules:
>
> LogLimit      net     fw      udp     59695

Worked like a charm. Thank you. But what I really wanted was to get a 
log message from each IP address that tried to connect to UDP port 
59695, but limited to one log entry per IP per hour. So I tried the 
following (based on Limit):

/etc/shorewall/actions:

LogLimit2

/etc/shorewall/action.LogLimit2:

*empty*

/etc/shorewall/LogLimit2:

use Shorewall::Chains;

my @tag = split /,/, $tag;

fatal_error 'Limit rules must include <list name>,<max 
connections>,<interval> as the log tag (' . join( ':', 'Limit', $level 
eq '' ? 'none' : $level , $tag ) . ')'
     unless @tag == 3;

my $list = $tag[0];

for ( @tag[1,2] ) {
     fatal_error 'Max connections and interval in Limit rules must be 
numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) 
. ')' unless /^\d+$/
}

my $count = $tag[1] + 1;

add_rule $chainref, "-m recent --name $list --set";

if ( $level ) {
     add_rule $chainref,  "-m recent --name $list --update --seconds 
$tag[2] --hitcount $count -j DROP";
     log_rule_limit $level, $chainref, $tag[0], 'DROP', '', '', 'add', '';
} else {
     add_rule $chainref, "-m recent --update --name $list --seconds 
$tag[2] --hitcount $count -j DROP";
}

add_rule $chainref, '-j DROP';

1;

/etc/shorewall/rules:

LogLimit2:info:LOG,1,3600 net fw udp 59695

It all seems to work fine. Thank you for sending me down the right 
track. I appreciate the help.

------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to