firewall: raise log rate limit for user generated rules, too
Commit Message
Having raised the overall log rate limit to 10 packet per second
in Core Update 136, this did not affected rules generated by the
user. In order to stay consistent, this patch also raises log rate
limit for these.
In order to avoid side effects on firewalls with slow disks, it
was probably better touch these categories separately, so testing
users won't be DoSsed instantly. :-)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/firewall/firewall-policy | 16 ++++++++--------
config/firewall/rules.pl | 6 +++---
config/rootfiles/core/137/filelists/files | 2 ++
3 files changed, 13 insertions(+), 11 deletions(-)
Comments
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
> On 25 Sep 2019, at 16:06, peter.mueller@ipfire.org wrote:
>
> Having raised the overall log rate limit to 10 packet per second
> in Core Update 136, this did not affected rules generated by the
> user. In order to stay consistent, this patch also raises log rate
> limit for these.
>
> In order to avoid side effects on firewalls with slow disks, it
> was probably better touch these categories separately, so testing
> users won't be DoSsed instantly. :-)
Well, I am not sure if that was a good strategy in the end.
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> config/firewall/firewall-policy | 16 ++++++++--------
> config/firewall/rules.pl | 6 +++---
> config/rootfiles/core/137/filelists/files | 2 ++
> 3 files changed, 13 insertions(+), 11 deletions(-)
>
> diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
> index 078c3c515..21165e933 100755
> --- a/config/firewall/firewall-policy
> +++ b/config/firewall/firewall-policy
> @@ -2,7 +2,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
> +# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -100,13 +100,13 @@ esac
> case "${FWPOLICY2}" in
> REJECT)
> if [ "${DROPINPUT}" = "on" ]; then
> - iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT "
> + iptables -A POLICYIN -m limit --limit 10/second -j LOG --log-prefix "REJECT_INPUT "
> fi
> iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
> ;;
> *) # DROP
> if [ "${DROPINPUT}" = "on" ]; then
> - iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
> + iptables -A POLICYIN -m limit --limit 10/second -j LOG --log-prefix "DROP_INPUT "
> fi
> iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
> ;;
> @@ -118,13 +118,13 @@ case "${POLICY}" in
> case "${FWPOLICY}" in
> REJECT)
> if [ "${DROPFORWARD}" = "on" ]; then
> - iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD "
> + iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "REJECT_FORWARD "
> fi
> iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
> ;;
> *) # DROP
> if [ "${DROPFORWARD}" = "on" ]; then
> - iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
> + iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
> fi
> iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
> ;;
> @@ -160,7 +160,7 @@ case "${POLICY}" in
> fi
>
> if [ "${DROPFORWARD}" = "on" ]; then
> - iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
> + iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
> fi
> iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
> ;;
> @@ -172,13 +172,13 @@ case "${POLICY1}" in
> case "${FWPOLICY1}" in
> REJECT)
> if [ "${DROPOUTGOING}" = "on" ]; then
> - iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT "
> + iptables -A POLICYOUT -m limit --limit 10/second -j LOG --log-prefix "REJECT_OUTPUT "
> fi
> iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
> ;;
> *) # DROP
> if [ "${DROPOUTGOING}" == "on" ]; then
> - iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
> + iptables -A POLICYOUT -m limit --limit 10/second -j LOG --log-prefix "DROP_OUTPUT "
> fi
> iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
> ;;
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 78e3e1e91..86db47367 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -2,7 +2,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
> +# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -804,8 +804,8 @@ sub make_log_limit_options {
> # Maybe we should get this from the configuration.
> my $limit = 10;
>
> - # We limit log messages to $limit messages per minute.
> - push(@options, ("--limit", "$limit/min"));
> + # We limit log messages to $limit messages per second.
> + push(@options, ("--limit", "$limit/second"));
>
> # And we allow bursts of 2x $limit.
> push(@options, ("--limit-burst", $limit * 2));
> diff --git a/config/rootfiles/core/137/filelists/files b/config/rootfiles/core/137/filelists/files
> index ce4e51768..04b6c42ff 100644
> --- a/config/rootfiles/core/137/filelists/files
> +++ b/config/rootfiles/core/137/filelists/files
> @@ -1,4 +1,6 @@
> etc/system-release
> etc/issue
> srv/web/ipfire/cgi-bin/credits.cgi
> +usr/lib/firewall/rules.pl
> +usr/sbin/firewall-policy
> var/ipfire/langs
> --
> 2.16.4
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -100,13 +100,13 @@ esac
case "${FWPOLICY2}" in
REJECT)
if [ "${DROPINPUT}" = "on" ]; then
- iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT "
+ iptables -A POLICYIN -m limit --limit 10/second -j LOG --log-prefix "REJECT_INPUT "
fi
iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
;;
*) # DROP
if [ "${DROPINPUT}" = "on" ]; then
- iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+ iptables -A POLICYIN -m limit --limit 10/second -j LOG --log-prefix "DROP_INPUT "
fi
iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
;;
@@ -118,13 +118,13 @@ case "${POLICY}" in
case "${FWPOLICY}" in
REJECT)
if [ "${DROPFORWARD}" = "on" ]; then
- iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD "
+ iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "REJECT_FORWARD "
fi
iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
;;
*) # DROP
if [ "${DROPFORWARD}" = "on" ]; then
- iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+ iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
fi
iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
;;
@@ -160,7 +160,7 @@ case "${POLICY}" in
fi
if [ "${DROPFORWARD}" = "on" ]; then
- iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+ iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
fi
iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
;;
@@ -172,13 +172,13 @@ case "${POLICY1}" in
case "${FWPOLICY1}" in
REJECT)
if [ "${DROPOUTGOING}" = "on" ]; then
- iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT "
+ iptables -A POLICYOUT -m limit --limit 10/second -j LOG --log-prefix "REJECT_OUTPUT "
fi
iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
;;
*) # DROP
if [ "${DROPOUTGOING}" == "on" ]; then
- iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
+ iptables -A POLICYOUT -m limit --limit 10/second -j LOG --log-prefix "DROP_OUTPUT "
fi
iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
;;
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -804,8 +804,8 @@ sub make_log_limit_options {
# Maybe we should get this from the configuration.
my $limit = 10;
- # We limit log messages to $limit messages per minute.
- push(@options, ("--limit", "$limit/min"));
+ # We limit log messages to $limit messages per second.
+ push(@options, ("--limit", "$limit/second"));
# And we allow bursts of 2x $limit.
push(@options, ("--limit-burst", $limit * 2));
@@ -1,4 +1,6 @@
etc/system-release
etc/issue
srv/web/ipfire/cgi-bin/credits.cgi
+usr/lib/firewall/rules.pl
+usr/sbin/firewall-policy
var/ipfire/langs