Again thanks for your reply Tom! I use version 4.4.8 so then I can choose which rule to use I suppose.
I think I understand the differences between the options now, but I'm still not sure what's the best choice when using the rules as DoS/DDoS prevention (like in my earlier example). I think I'll go with the Limit action since this rule drops traffic directly when the limit is reached opposed to using the RATE/LIMIT column which allows the traffic be checked against all other rules before it gets dropped when it hits the policy for the specific zones (which is configured to log and drop). Sander -----Original Message----- From: Tom Eastep [mailto:teas...@shorewall.net] Sent: dinsdag 13 april 2010 15:49 To: Shorewall Users Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent DoS attackson a specific port S. J. van Harmelen wrote: > When reading the 'man shorewall-rules' again I wonder if I can > accomplice the same behavior with this single rule: > > > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK > PORT(S) PORT(S) DEST LIMIT GROUP >HTTP(DNAT) net loc:192.168.1.160 - - - - s:HTTPACCESS:3/min:3 > > > It looks to me if this has the same effect as the two rules given > below (if I understand the rules correctly). So could someone then > tell me what the difference is (if any) between the two ways to > achieve this effect? The above rule is broken in Shorewall releases prior to 4.4.8. So I don't recommend using it unless > > And one last question... Both limiting rules work by counting the > current connected TCP sessions right? No. The Limit action works by keeping track of how many connections were made in the last period; if that is greater than the limit, then the connection is optionally logged then dropped; otherwise, the connection is accepted. Using per-IP limiting in the RATE/LIMIT column as shown above involves a token bucket (http://en.wikipedia.org/wiki/Token_bucket). If the source IP has a token, then the connection is allowed and the IP has one fewer tokens; otherwise, the connection is passed to the next applicable rule. See http://www.shorewall.net/configuration_file_basics.htm#RateLimit. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
