On Tuesday, October 16, 2018, 12:08:35 AM GMT+2, Vieri Di Paola via Shorewall-users <shorewall-users@lists.sourceforge.net> wrote:
>>> DNAT net2:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL loc:10.215.145.81 >>> tcp 80,443 - - 30/min:35 >>> [...] >>> ADD(POL_BL:src):info:polbl,add2polbl net1,net2,net3:!+POL_BL,+GLOBAL_WL >>> all tcp,udp - !443,80,25,3389 >> >> >> If the connection rate to ports 80 and 443 from the net exceeds the >> LIMIT on the DNAT rule, then those connections exceeding the rate will >> be added to the ipset. > > Interesting. So, if I want to make sure the SRC IP addr. is not added to my > POL_BL ipset then I should either remove rate limiting or use something else > in between. Come to think of it, I don't understand why the connections exceeding the rate will be added to the ipset if the ADD() action excludes dst ports 80 and 443 (!443,80). Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
