On 10/06/2014 08:43 PM, Rufe Glick wrote:
>> 2. In the *Action *description the very last line says
"Also an
action
>> can be limited using the /limit tag/." What limit tag does the
statement
>> refer to?
>
>
> The limit tag is described in Log.
The thing is that 'limit tag' term is not used in the description of
the Log element. Please use the 'limit tag' term in the description of
the Log element at least once. For consistency it'll also be a good
idea to include that extra option in the description of the Action
element, like this:
accept | reject [type="reject type"] | drop [limit
value="rate/duration"]
For me this rises another question. What does it mean to limit, say,
an accept action to once a day? Does it mean that only one connection
attempt a day will be let through the firewall and all other attempts
be dropped? Will they be dropped with a drop action? How about reject
action (if once a day) -- will the first connection attempt be
rejected with ICMP message and all other attempts be dropped? And for
the drop action rate limiting will not change anything then. Please
clarify.
Well, after some tests I see that what I suggested is not true. The
'limit tag' doesn't limit connection attempts. So what exactly does the
limit tag do for the action? Please consider the following example and
explain me the functional difference:
firewall-cmd --add-rich-rule='rule family=ipv4 service name=http accept
limit value=1/m'
firewall-cmd --add-rich-rule='rule family=ipv4 service name=http accept'
The former one adds the following arguments to iptables call:
-m limit --limit 1/min
iptables-extensions(8) says about 'limit' module:
This module matches at a limited rate using a token bucket filter.
A rule using this extension will match until this limit is reached.
It can be used in combination with the LOG target to give limited
logging, for example.
I understand it the same way as you, i.e. that only one new connection
to http service would be allowed per minute.
Once the limit is reached it'd behave like there was no such rule.
What happens to other attempts depends on the zone's target so
by default (public zone) they should be rejected with icmp-host-prohibited.
If it does not work that way then we are both wrong or it's a bug.
--
Jiri