[Firehol-support] Control the frequency of NEW connections per service

[Costa Tsaousis]

Hi all,

I have just added the ability to control the frequency of incoming NEW
connections per FireHOL service. It has been added in the CVS version
1.203. You can get it from http://firehol.sf.net/firehol.tar.gz (it
appears there in about 24 hours - sourceforge rules - check that you got
v1.203 before reporting problems).

Any comments or bug reports are welcome.

---

Added support for options to the ACCEPT action in order to allow a certain
frequency of NEW connections per service. Now, the template for the ACCEPT
action is this:

ACCEPT [with limit frequency burst [overflow action]]

for example:

server smtp accept with limit 10/s 100 overflow drop

which means there is now control for the frequency at which NEW incoming
connections are accepted and control is also provided for the overflow NEW
ones.

The default overflow action is REJECT which rejects TCP connections with
TCP-RESET and all others with ICMP-PORT-UNREACHABLE.

To add other optional rule parameters to the server/client/route command
just add them after the ACCEPT expression. For example:

server smtp accept with limit 10/s 1000 src 1.2.3.4

If there are overflow NEW connections, the firewall will log "OVERFLOW"
with the packets. These logs appear with the frequency of loglimit
(controled via global variables).

The arguments to the ACCEPT action are allowed in clients and servers, in
interfaces and routers.

Thanks.

Costa