On 10/15/2018 03:15 PM, Vieri Di Paola via Shorewall-users wrote: > On Tuesday, October 16, 2018, 12:08:35 AM GMT+2, Vieri Di Paola via > Shorewall-users <shorewall-users@lists.sourceforge.net> wrote: > >>>> DNAT net2:!+IPS_BL,+POL_BL,+GEO_BL,+GEOIPS_BL loc:10.215.145.81 >>>> tcp 80,443 - - 30/min:35 >>>> [...] >>>> ADD(POL_BL:src):info:polbl,add2polbl net1,net2,net3:!+POL_BL,+GLOBAL_WL >>>> all tcp,udp - !443,80,25,3389 >>> >>> >>> If the connection rate to ports 80 and 443 from the net exceeds the >>> LIMIT on the DNAT rule, then those connections exceeding the rate will >>> be added to the ipset. >> >> Interesting. So, if I want to make sure the SRC IP addr. is not added to my >> POL_BL ipset then I should either remove rate limiting or use something else >> in between. > > Come to think of it, I don't understand why the connections exceeding the > rate will be added to the ipset if the ADD() action excludes dst ports 80 and > 443 (!443,80). >
Because you are excluding SOURCE ports, not DESTINATION ports... -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
