[Firehol-support] Re: Integrating ipt_recent with FireHOL
redeeman at metanurb.dk
Sat Nov 12 02:50:45 GMT 2005
On Sat, 2005-11-12 at 01:00 +0200, Costa Tsaousis wrote:
Costa, sorry about this, but i sent two messages to you instead of the
list.. evolution sometimes doesent act like its expected.. the stuff i
> In v1.240 (get it from http://firehol.sf.net/firehol.tar.gz) you now
nice, i see you havent comitted to cvs though..
when do you think this will be released in a public release?
btw, the man pages specify config file as /etc/firehol.conf, while the
script still uses /etc/firehol/firehol.conf :)
> server smtp accept with recent SMTP 30 5
> will allow only 4 (5-1) NEW connections every 30 seconds.
> The overflow connections will be treated as if the "server smtp
> was not there... (i.e. logged and dropped at the end of the
> or the end of the firewall for routers)
unless ofcourse policy accept is there, then it should still work right?
and, how come its "4 (5-1)"
and finally, this is on a per-ip basis right? so that if some idiot
attacks my sshd i will still be able to connect to it, right?
> You can disable SECONDS or HITS by giving an empty argument:
> server smtp accept with recent SMTP "" 5
> server smtp accept with recent SMTP 30 ""
i dont understand, what would this accomplish?
> Do you believe we should also add a "recent" protection, so that one
> limit the rate of connections per interface and router for all the
> services together, or even a "recent" helper so that one can limit
> rate of connections globally for the whole of the firewall?
as another guy said, i believe a glocal helper to set one service for
all interfaces might be usable
Another question, unrelated..
i just saw adblock.sh, and im hooked on it!
can i somehow implement this in my router.. i mean.. this is my config:
interface eth0 redeeman
server all accept
client all accept
interface eth1 internet
server ident reject with tcp-reset
server "http https ssh dns smtp microsoft_ds portmap redeenfs"
server custom boinc "tcp/1043 tcp/31416" default accept
server custom myhttp "tcp/8081" default accept
server ldaps accept src 192.168.0.2
client "http https ssh dns irc" accept
client all accept user redeeman
client all accept user root
router internet2lan inface eth1 outface eth0
route all accept
client all accept
so that connections from stuff on eth0 (my lan) are also unable to
connect to the blacklisted ips?
would i be able to do that in the router statement?
More information about the Firehol-support