[Firehol-support] trouble with limit 1000/s 1000
Marcel Gsteiger
Marcel.Gsteiger at milprog.ch
Tue Dec 4 15:02:49 GMT 2007
Hi all
After upgrading firehol 1.226 to 1.256, I have severe troubles when using the "with limit" directive.
First, this directive generated names that were too long for iptables when the value exceeded 3 digits (e.g. "with limit 1000/s 1000").
But other limit directives generate errors like:
--------------------------------------------------------------------------------
ERROR : # 1.
WHAT : A runtime command failed to execute (returned error 1).
SOURCE : line INIT of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t filter -A in_pub_v35_http_s2 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW\,ESTABLISHED -j ACCEPT_LIMIT_100_s_100_REJECT
OUTPUT :
iptables: No chain/target/match by that name
My script contains a base script that "calls" several sub-scripts by using ".", e.g.
. /etc/firehol/common/services
Unfortunately, my script is rather long (it's a linux-vserver host having lots of virtual interfaces, 802.1q, NAT etc; firehol generates about 9000 IPTables entries). But 1.226 works without any problems, while 1.256 causes these errors. What may be wrong here?
Here is the part of my firehol script that generates the error:
interface vlan47+ pub_v35 src not "${UNROUTABLE_IPS}" dst "${v_web_priv}"
# priv = after NAT
protection strong
server ssh accept src "${v_web_clients}"
server http accept with limit 100/s 100 # this limit directive causes the error
server ftp accept with limit 100/s 100 src "${v_web_ftpclients}"
server postgres accept src "${postgres_clients_193} ${pub_mgpriv}"
client smtp accept with limit 2/s 4 dst "${v_web_smtp_recipients}"
client http accept dst "${pear_extension_repository}"
server icmp accept with limit 10/s 10
client icmp accept with limit 10/s 10
Any help would much be appreciated.
Regards
--Marcel
More information about the Firehol-support
mailing list