Brian Schang wrote: > Tom: > > On 2/16/2010 12:30 PM, Tom Eastep wrote: > >>>> While using the 'limit' match worked fine, becoming IP-specific with >>>> 'hashlimit' has not been working. More specifically there seems to be no >>>> limiting occurring. The same source IP addresses show up in the logs on >>>> essentially every connection. >>>> >>>> I have attached my 'shorewall dump' output. I read through the file and >>>> have reviewed my configuration files and I don't understand what could >>>> be going wrong. Any insight would be appreciated. >>>> >>> I have none. Let's wait to see if your query on the Netfilter list bears >>> fruit. If not, I would send it to netfilter-devel; when you do that, be >>> sure to mention your kernel version. >> I think that I've figured this out. The default expiration time for idle >> entries is 10 seconds. So very infrequent packets from a given IP >> address will always match when the rate is low. > > Alright. So if I understand correctly, then limiting to an average rate > of once per hour or once per day needs to be combined with overriding > the default expiration time? Actually any time that a packet would come > in at a rate of less than once every ten seconds, the expiration time > should be changed from the default? > > Thank you for helping me figure this out. Having experts like yourself > willing to help and explain makes learning a lot of fun. >
I've done some experiments and unfortunately, setting --hashlimit-htable-expire to 1 hour does not change anything; the hashtable entries still expire in 10 seconds :-( I don't have much time to mess with this so if you want to play with it, feel free. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
