uh, thanks for pointing out the obvious, Tom! Now I have to figure out how
THAT got there...
On 13 August 2013 22:05, Tom Eastep <[email protected]> wrote:
> On 08/13/2013 06:59 AM, Steve Wray wrote:
> > Hi,
> >
> > I have created a very basic shorewall configuration with only one rule
> > for rate limiting outgoing ICMP port unreachable packets.
> >
> > However when I look at the rules created I can see an extra rate
> > limiting rule like this:
> >
> > Chain @net2fw (1 references)
> > pkts bytes target prot opt in out source
> > destination
> > 28114 1646K RETURN all -- * * 0.0.0.0/0
> > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> > limit: avg 10/sec burst 50
> > 3168 190K DROP all -- * * 0.0.0.0/0
> > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> >
> > I trust that Shorewall does the right thing, and although I didn't ask
> > for this particular rate limiting I am guessing that this shouldn't be
> > causing any problems.
> >
> > But my colleagues are requiring an explanation and claim that this is
> > affecting normal traffic.
> >
> > My suspicion is that this comes from the 'tcpflags' setting in
> > interfaces and that its rate limiting incoming invalid packets?
> >
> > interfaces:
> > net eth0 detect tcpflags,nosmurfs,arp_filter,arp_ignore=1,routefilter
> >
> > zones:
> > fw firewall
> > net ipv4 - - -
> >
> > poilicy:
> > $FW $FW ACCEPT - -
> > $FW net ACCEPT - -
> > net $FW ACCEPT - 10/sec:50 <========================================
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
