[Firehol-support] trouble with limit 1000/s 1000
Costa Tsaousis
costa at tsaousis.gr
Sat Dec 8 10:26:29 GMT 2007
Marcel Gsteiger wrote:
> Hi all
>
> After upgrading firehol 1.226 to 1.256, I have severe troubles when using the "with limit" directive.
>
> First, this directive generated names that were too long for iptables when the value exceeded 3 digits (e.g. "with limit 1000/s 1000").
>
> But other limit directives generate errors like:
>
> --------------------------------------------------------------------------------
> ERROR : # 1.
> WHAT : A runtime command failed to execute (returned error 1).
> SOURCE : line INIT of /etc/firehol/firehol.conf
> COMMAND : /sbin/iptables -t filter -A in_pub_v35_http_s2 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW\,ESTABLISHED -j ACCEPT_LIMIT_100_s_100_REJECT
> OUTPUT :
>
> iptables: No chain/target/match by that name
>
> My script contains a base script that "calls" several sub-scripts by using ".", e.g.
>
> . /etc/firehol/common/services
>
> Unfortunately, my script is rather long (it's a linux-vserver host having lots of virtual interfaces, 802.1q, NAT etc; firehol generates about 9000 IPTables entries). But 1.226 works without any problems, while 1.256 causes these errors. What may be wrong here?
>
> Here is the part of my firehol script that generates the error:
>
> interface vlan47+ pub_v35 src not "${UNROUTABLE_IPS}" dst "${v_web_priv}"
> # priv = after NAT
> protection strong
> server ssh accept src "${v_web_clients}"
> server http accept with limit 100/s 100 # this limit directive causes the error
> server ftp accept with limit 100/s 100 src "${v_web_ftpclients}"
> server postgres accept src "${postgres_clients_193} ${pub_mgpriv}"
> client smtp accept with limit 2/s 4 dst "${v_web_smtp_recipients}"
> client http accept dst "${pear_extension_repository}"
> server icmp accept with limit 10/s 10
> client icmp accept with limit 10/s 10
>
> Any help would much be appreciated.
>
> Regards
> --Marcel
>
Marcel,
1. Could you please run both versions of firehol with 'debug' and check
the diff of the two outputs?
Can you scramble all IP addresses and post the diff?
2. To focus to the problem, in the output of the later version (1.256
with 'debug') can you confirm that the chains 'in_pub_v35_http_s2' and
'ACCEPT_LIMIT_100_s_100_REJECT' have been created before the statement
that fails?
Costa
More information about the Firehol-support
mailing list