On 08/13/2013 06:59 AM, Steve Wray wrote: > Hi, > > I have created a very basic shorewall configuration with only one rule > for rate limiting outgoing ICMP port unreachable packets. > > However when I look at the rules created I can see an extra rate > limiting rule like this: > > Chain @net2fw (1 references) > pkts bytes target prot opt in out source > destination > 28114 1646K RETURN all -- * * 0.0.0.0/0 > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> > limit: avg 10/sec burst 50 > 3168 190K DROP all -- * * 0.0.0.0/0 > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> > > I trust that Shorewall does the right thing, and although I didn't ask > for this particular rate limiting I am guessing that this shouldn't be > causing any problems. > > But my colleagues are requiring an explanation and claim that this is > affecting normal traffic. > > My suspicion is that this comes from the 'tcpflags' setting in > interfaces and that its rate limiting incoming invalid packets? > > interfaces: > net eth0 detect tcpflags,nosmurfs,arp_filter,arp_ignore=1,routefilter > > zones: > fw firewall > net ipv4 - - - > > poilicy: > $FW $FW ACCEPT - - > $FW net ACCEPT - - > net $FW ACCEPT - 10/sec:50 <========================================
-Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
