From patchwork Wed Sep 25 15:06:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2425 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 46dhH110WJz42SB for ; Wed, 25 Sep 2019 15:06:53 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 46dhGz0zwDz2Ps; Wed, 25 Sep 2019 15:06:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1569424012; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=hRHVnanGRzkxz4vFIPOmv+AkF4NheuXIf169xvUL6/I=; b=FSeDLSPYc7otFtUhWjGnbCUVJJ5mbnCTXd8FCqAodQp5kKguOPoxYMJk7KBsdkZKwkHxQq Nlb+y3XXzPu4mORktz8ohH2ontCIod3+5Zd2XhSiEJDnDdX5L2hLey+btSyyrhti2wgWZD bv9l6ztLfFT0+mtdJbww5dlXCQ28qTLGD9PN2baKUaeae7WeAr16d+icQ6Ge0yUF3LOKuS JxpFqfkBttiQImVelYd+9JVZZ+7tpKDZdoII6FSEOikFHdrCv9bJbdPNrJAVIWjq8b8cy5 2DFjPjPqv64o7OcwyiEC8uF4mR0DWI8ZBWUueqNu1N57QB6Cvy2KaGPwXF2HnQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1569424012; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=hRHVnanGRzkxz4vFIPOmv+AkF4NheuXIf169xvUL6/I=; b=jcDYYG5Zfs2X8AcVe18y8Cii3QLgdvoxRMMTXC2AOyjK5xrAzpckojzIf/BpavX4uGhzfy xgqLosJXwQZuavDA== Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 46dhGy63Rgz2ydk; Wed, 25 Sep 2019 15:06:50 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 46dhGx726Qz2ydP for ; Wed, 25 Sep 2019 15:06:49 +0000 (UTC) Received: from [127.0.0.1] (unknown [185.207.139.2]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 46dhGw5wBFz2Ps for ; Wed, 25 Sep 2019 15:06:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1569424009; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hRHVnanGRzkxz4vFIPOmv+AkF4NheuXIf169xvUL6/I=; b=NYxiMCUZmoetXgQ9z1nHAeOAIpvEaNZSOCCa+SNxuPwhEl4v8rmAxOHKWdEpD90pdJ4E/T 9FeWEtt/GIalA4Vd4rQSU0Kb2EQ5uPVcNGa03o5FkklKMbW1juyRxpjq37iaZ7FvCz1rf4 llCQofaQpZzhtimWMgjhyepfyyINXR/ecw9PeMVS6fEfFtvy/Wxqz/Poj7CzeHnpeA026o 5e7AE2hFT3Kr03v7JAtHr7e5TW5Teab1aa/PR0vo2I01R2NlriCAazo8ecRcoG7M3tGE+G +/0VG1gBmOMJgxM4YaRJut1+yJdhUGVTr/Az7NqYJ83PUg+mCxoyyXjjn0i+kw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1569424009; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hRHVnanGRzkxz4vFIPOmv+AkF4NheuXIf169xvUL6/I=; b=qpsKak0WNOFSoy7LYuUp7ZigjhCrXgJowY79sD3UIYN8P6tu3DX33vbFqNSoqT0BJua/Xk el9Pl5Q8wq7TJSAw== To: "IPFire: Development-List" From: peter.mueller@ipfire.org Subject: [PATCH] firewall: raise log rate limit for user generated rules, too Message-ID: Date: Wed, 25 Sep 2019 15:06:00 +0000 MIME-Version: 1.0 Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Having raised the overall log rate limit to 10 packet per second in Core Update 136, this did not affected rules generated by the user. In order to stay consistent, this patch also raises log rate limit for these. In order to avoid side effects on firewalls with slow disks, it was probably better touch these categories separately, so testing users won't be DoSsed instantly. :-) Signed-off-by: Peter Müller Reviewed-by: Michael Tremer --- config/firewall/firewall-policy | 16 ++++++++-------- config/firewall/rules.pl | 6 +++--- config/rootfiles/core/137/filelists/files | 2 ++ 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy index 078c3c515..21165e933 100755 --- a/config/firewall/firewall-policy +++ b/config/firewall/firewall-policy @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx # +# Copyright (C) 2007-2019 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -100,13 +100,13 @@ esac case "${FWPOLICY2}" in REJECT) if [ "${DROPINPUT}" = "on" ]; then - iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT " + iptables -A POLICYIN -m limit --limit 10/second -j LOG --log-prefix "REJECT_INPUT " fi iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" ;; *) # DROP if [ "${DROPINPUT}" = "on" ]; then - iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " + iptables -A POLICYIN -m limit --limit 10/second -j LOG --log-prefix "DROP_INPUT " fi iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT" ;; @@ -118,13 +118,13 @@ case "${POLICY}" in case "${FWPOLICY}" in REJECT) if [ "${DROPFORWARD}" = "on" ]; then - iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD " + iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "REJECT_FORWARD " fi iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" ;; *) # DROP if [ "${DROPFORWARD}" = "on" ]; then - iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " + iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD " fi iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" ;; @@ -160,7 +160,7 @@ case "${POLICY}" in fi if [ "${DROPFORWARD}" = "on" ]; then - iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD " + iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD " fi iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP ;; @@ -172,13 +172,13 @@ case "${POLICY1}" in case "${FWPOLICY1}" in REJECT) if [ "${DROPOUTGOING}" = "on" ]; then - iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT " + iptables -A POLICYOUT -m limit --limit 10/second -j LOG --log-prefix "REJECT_OUTPUT " fi iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" ;; *) # DROP if [ "${DROPOUTGOING}" == "on" ]; then - iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " + iptables -A POLICYOUT -m limit --limit 10/second -j LOG --log-prefix "DROP_OUTPUT " fi iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" ;; diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 78e3e1e91..86db47367 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx # +# Copyright (C) 2007-2019 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -804,8 +804,8 @@ sub make_log_limit_options { # Maybe we should get this from the configuration. my $limit = 10; - # We limit log messages to $limit messages per minute. - push(@options, ("--limit", "$limit/min")); + # We limit log messages to $limit messages per second. + push(@options, ("--limit", "$limit/second")); # And we allow bursts of 2x $limit. push(@options, ("--limit-burst", $limit * 2)); diff --git a/config/rootfiles/core/137/filelists/files b/config/rootfiles/core/137/filelists/files index ce4e51768..04b6c42ff 100644 --- a/config/rootfiles/core/137/filelists/files +++ b/config/rootfiles/core/137/filelists/files @@ -1,4 +1,6 @@ etc/system-release etc/issue srv/web/ipfire/cgi-bin/credits.cgi +usr/lib/firewall/rules.pl +usr/sbin/firewall-policy var/ipfire/langs