[Firehol-support] Re: Integrating ipt_recent with FireHOL

Redeeman redeeman at metanurb.dk
Sat Nov 12 02:50:45 GMT 2005 

On Sat, 2005-11-12 at 01:00 +0200, Costa Tsaousis wrote:
<snip>

Costa, sorry about this, but i sent two messages to you instead of the
list.. evolution sometimes doesent act like its expected.. the stuff i
posted is:

> In v1.240 (get it from http://firehol.sf.net/firehol.tar.gz) you now
can:
> 
nice, i see you havent comitted to cvs though..

when do you think this will be released in a public release?

btw, the man pages specify config file as /etc/firehol.conf, while the
script still uses /etc/firehol/firehol.conf :)

> Example:
> 
> server smtp accept with recent SMTP 30 5
> 
> will allow only 4 (5-1) NEW connections every 30 seconds.
> The overflow connections will be treated as if the "server smtp
accept" 
> was not there... (i.e. logged and dropped at the end of the
interface, 
> or the end of the firewall for routers)
unless ofcourse policy accept is there, then it should still work right?

and, how come its "4 (5-1)"

and finally, this is on a per-ip basis right? so that if some idiot
attacks my sshd i will still be able to connect to it, right?

> You can disable SECONDS or HITS by giving an empty argument:
> 
> server smtp accept with recent SMTP "" 5
> 
> or
> 
> server smtp accept with recent SMTP 30 ""
i dont understand, what would this accomplish?


> 
> Do you believe we should also add a "recent" protection, so that one
can 
> limit the rate of connections per interface and router for all the 
> services together, or even a "recent" helper so that one can limit
the 
> rate of connections globally for the whole of the firewall?

as another guy said, i believe a glocal helper to set one service for
all interfaces might be usable
-----------------------------------------

Another question, unrelated..
i just saw adblock.sh, and im hooked on it!

can i somehow implement this in my router.. i mean.. this is my config:
-------
interface eth0 redeeman
        policy accept
        server all accept
        client all accept

interface eth1 internet
        policy drop
        protection strong

        server ident reject with tcp-reset
        server "http https ssh dns smtp microsoft_ds portmap redeenfs"
accept
        server custom boinc "tcp/1043 tcp/31416" default accept
        server custom myhttp "tcp/8081" default accept
        server ldaps accept src 192.168.0.2

        client "http https ssh dns irc" accept
        client all accept user redeeman
        client all accept user root

router internet2lan inface eth1 outface eth0
        masquerade reverse
        route all accept
        client all accept
----------------
so that connections from stuff on eth0 (my lan) are also unable to
connect to the blacklisted ips?

would i be able to do that in the router statement?

More information about the Firehol-support mailing list