On 4/30/12 12:09 PM, Pau Beltrán wrote: > Sorry Tom, I sent you the dump without testing before. Now I attach a > dump with previous testing connecting from 192.168.1.4 to port 80 with > a new discover... > > It realized, playing with the shorewall show nat, that the number of > packets of the counter matches with what the limit is suposed to do, > it looks like the limit its working. The strange thing is that the > requested HTTP page that I'm connecting to its updated everytime. I > press F5 at a higher rate, giving me a diferent timestamp on every > request. A diferent timestamp shows me that cache is not acting and > the request reaches its destination (192.168.2.2). In other words, I > press F5, I get a fresh page in response but "shorewall show nat" > counters remains at the same value. I wait a few seconds, hit F5 > again, get a fresh page and the counter is increased. > > It seems that the rate-limit works cutting the DNAT rule (as the > counter shows), but the request reaches its destination anyway. I > can't understand why... I put the "public" ip of the firewall in the > browser (192.168.1.135). Only a DNAT rule can take me to 192.168.2.2.
Your browser doesn't close the connection immediately. So hitting F5 doesn't necessarily create a new connection. Remember that rate-limiting only affect *new connections*. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
