firewall: raise log rate limit for user generated rules, too

Having raised the overall log rate limit to 10 packet per second in Core Update 136, this did not affected rules generated by the user. In order to stay consistent, this patch also raises log rate limit for these. In order to avoid side effects on firewalls with slow disks, it was probably better touch these categories separately, so testing users won't be DoSsed instantly. :-) Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2019-09-25 15:06:00 +00:00
parent e60dde5f53
commit a85a7a60fc
3 changed files with 13 additions and 11 deletions
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
+# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -100,13 +100,13 @@ esac
 case "${FWPOLICY2}" in
 	REJECT)
 		if [ "${DROPINPUT}" = "on" ]; then
-			iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT "
+			iptables -A POLICYIN -m limit --limit 10/second -j LOG --log-prefix "REJECT_INPUT "
 		fi
 		iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
 		;;
 	*) # DROP
 		if [ "${DROPINPUT}" = "on" ]; then
-			iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
+			iptables -A POLICYIN -m limit --limit 10/second -j LOG --log-prefix "DROP_INPUT "
 		fi
 		iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
 		;;
@@ -118,13 +118,13 @@ case "${POLICY}" in
 		case "${FWPOLICY}" in
 			REJECT)
 				if [ "${DROPFORWARD}" = "on" ]; then
-					iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD "
+					iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "REJECT_FORWARD "
 				fi
 				iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
 				;;
 			*) # DROP
 				if [ "${DROPFORWARD}" = "on" ]; then
-					iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+					iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
 				fi
 				iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
 				;;
@@ -160,7 +160,7 @@ case "${POLICY}" in
 		fi

 		if [ "${DROPFORWARD}" = "on" ]; then
-			iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+			iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
 		fi
 		iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
 		;;
@@ -172,13 +172,13 @@ case "${POLICY1}" in
 		case "${FWPOLICY1}" in
 			REJECT)
 				if [ "${DROPOUTGOING}" = "on" ]; then
-					iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT "
+					iptables -A POLICYOUT -m limit --limit 10/second -j LOG --log-prefix "REJECT_OUTPUT "
 				fi
 				iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
 				;;
 			*) # DROP
 				if [ "${DROPOUTGOING}" == "on" ]; then
-					iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
+					iptables -A POLICYOUT -m limit --limit 10/second -j LOG --log-prefix "DROP_OUTPUT "
 				fi
 				iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
 				;;
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
+# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -804,8 +804,8 @@ sub make_log_limit_options {
 	# Maybe we should get this from the configuration.
 	my $limit = 10;

-	# We limit log messages to $limit messages per minute.
-	push(@options, ("--limit", "$limit/min"));
+	# We limit log messages to $limit messages per second.
+	push(@options, ("--limit", "$limit/second"));

 	# And we allow bursts of 2x $limit.
 	push(@options, ("--limit-burst", $limit * 2));
--- a/config/rootfiles/core/137/filelists/files
+++ b/config/rootfiles/core/137/filelists/files
@@ -1,6 +1,8 @@
 etc/system-release
 etc/issue
 srv/web/ipfire/cgi-bin/credits.cgi
+usr/lib/firewall/rules.pl
+usr/sbin/firewall-policy
 var/ipfire/langs
 etc/logrotate.conf
 srv/web/ipfire/cgi-bin/ovpnmain.cgi