[Firehol-support] Re: Integrating ipt_recent with FireHOL

Redeeman redeeman at metanurb.dk
Sat Nov 12 02:50:45 GMT 2005

On Sat, 2005-11-12 at 01:00 +0200, Costa Tsaousis wrote:

Costa, sorry about this, but i sent two messages to you instead of the
list.. evolution sometimes doesent act like its expected.. the stuff i
posted is:

> In v1.240 (get it from http://firehol.sf.net/firehol.tar.gz) you now
nice, i see you havent comitted to cvs though..

when do you think this will be released in a public release?

btw, the man pages specify config file as /etc/firehol.conf, while the
script still uses /etc/firehol/firehol.conf :)

> Example:
> server smtp accept with recent SMTP 30 5
> will allow only 4 (5-1) NEW connections every 30 seconds.
> The overflow connections will be treated as if the "server smtp
> was not there... (i.e. logged and dropped at the end of the
> or the end of the firewall for routers)
unless ofcourse policy accept is there, then it should still work right?

and, how come its "4 (5-1)"

and finally, this is on a per-ip basis right? so that if some idiot
attacks my sshd i will still be able to connect to it, right?

> You can disable SECONDS or HITS by giving an empty argument:
> server smtp accept with recent SMTP "" 5
> or
> server smtp accept with recent SMTP 30 ""
i dont understand, what would this accomplish?

> Do you believe we should also add a "recent" protection, so that one
> limit the rate of connections per interface and router for all the 
> services together, or even a "recent" helper so that one can limit
> rate of connections globally for the whole of the firewall?

as another guy said, i believe a glocal helper to set one service for
all interfaces might be usable

Another question, unrelated..
i just saw adblock.sh, and im hooked on it!

can i somehow implement this in my router.. i mean.. this is my config:
interface eth0 redeeman
        policy accept
        server all accept
        client all accept

interface eth1 internet
        policy drop
        protection strong

        server ident reject with tcp-reset
        server "http https ssh dns smtp microsoft_ds portmap redeenfs"
        server custom boinc "tcp/1043 tcp/31416" default accept
        server custom myhttp "tcp/8081" default accept
        server ldaps accept src

        client "http https ssh dns irc" accept
        client all accept user redeeman
        client all accept user root

router internet2lan inface eth1 outface eth0
        masquerade reverse
        route all accept
        client all accept
so that connections from stuff on eth0 (my lan) are also unable to
connect to the blacklisted ips?

would i be able to do that in the router statement?

More information about the Firehol-support mailing list