Hi,
I have created a very basic shorewall configuration with only one rule for
rate limiting outgoing ICMP port unreachable packets.
However when I look at the rules created I can see an extra rate limiting
rule like this:
Chain @net2fw (1 references)
pkts bytes target prot opt in out source
destination
28114 1646K RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/sec burst 50
3168 190K DROP all -- * * 0.0.0.0/0
0.0.0.0/0
I trust that Shorewall does the right thing, and although I didn't ask for
this particular rate limiting I am guessing that this shouldn't be causing
any problems.
But my colleagues are requiring an explanation and claim that this is
affecting normal traffic.
My suspicion is that this comes from the 'tcpflags' setting in interfaces
and that its rate limiting incoming invalid packets?
interfaces:
net eth0 detect tcpflags,nosmurfs,arp_filter,arp_ignore=1,routefilter
zones:
fw firewall
net ipv4 - - -
poilicy:
$FW $FW ACCEPT - -
$FW net ACCEPT - -
net $FW ACCEPT - 10/sec:50
rules:
ACCEPT fw all icmp port-unreachable - - 100/sec:5 -
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
