I tried the rich rule: firewall-cmd --permanent --add-rich-rule='rule service name="ssh" log prefix="PREFIX-SSH-PORT" level="info" limit value="6/m" accept limit value="3/m"' This is to limit access to the ssh service from one source to 3 per minute, but allow 6 log lines per minute to syslog. However this does not limit access to 3 per minute, in fact I experience unlimited access and only limited, more than 6, log lines in the log.
On Fri, Aug 23, 2019 at 03:46:47PM -0000, Freek de Kruijf wrote:
I tried the rich rule: firewall-cmd --permanent --add-rich-rule='rule service name="ssh" log prefix="PREFIX-SSH-PORT" level="info" limit value="6/m" accept limit value="3/m"' This is to limit access to the ssh service from one source to 3 per minute, but allow 6 log lines per minute to syslog. However this does not limit access to 3 per minute, in fact I experience unlimited access and only limited, more than 6, log lines in the log.
You'll need to use two rules.
firewall-cmd --permanent --add-rich-rule='rule service name="ssh" log prefix="PREFIX-SSH-PORT" level="info" limit value="6/m"' firewall-cmd --permanent --add-rich-rule='rule service name="ssh" accept limit value="3/m"'
Just to be more precise, there need to be a space after the text in prefix=, so "PREFIX-SSH-PORT ". In iptables this should result in "... --log-prefix "PREFIX-SSH-PORT " ...; note the space after PORT. Otherwise elements in the text in the syslog are not separated by spaces. You may need to use the newest version of firewalld-cmd for this to work this way. See issue #481 in firewalld on github.
firewalld-users@lists.fedorahosted.org