On 2/17/2015 4:07 AM, Øyvind 'bolt' Hvidsten wrote: > I found an unexpected issue today when configuring a Raspberry Pi as a > WAN emulator (AP with packet loss, high, variable ping, etc). In the > kernel of Raspbian (a Debian variant), version 3.18.5 at the time of > writing, ICMP ping requests are tracked. > > Thus, with a default policy of DROP for wlan2net, the following rule did > not do what I expected: > ----------------------------------- > SECTION NEW > Ping(ACCEPT) wlan net - - - - 1/sec:10 > ----------------------------------- > > This would allow a flood of pings from wlan to net, as long as it was > from and to the same machines. > > However, putting the accept rule in the ALL section, followed by a DROP > rule to counteract the default ALLOW rule for ESTABLISHED did what I > wanted: one ping every second, with a pool of 10. > ----------------------------------- > SECTION ALL > Ping(ACCEPT) wlan net - - - - 1/sec:10
I think you probably want "s:1/sec:10" in the RATE/LIMIT column. Otherwise, only one user can ping at a time. > Ping(DROP) wlan net > ----------------------------------- > > Connection tracking in progress: > ----------------------------------- > $ shorewall show connections | grep icmp > icmp 1 29 src=10.101.0.53 dst=173.194.112.130 type=8 code=0 id=256 > src=173.194.112.130 dst=10.0.10.34 type=0 code=0 id=256 mark=0 use=2 > ----------------------------------- > > While discussing this in #shorewall on freenode, it was suggested that I > send a mail about this, so this is me doing just that. > > If this situation isn't mentioned in the documentation or examples (I > couldn't find it), it probably should be. I'll do something the next time that I undate the 'Ping' article. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
