- In the *Action *description the very last line says "Also an action
can be limited using the /limit tag/." What limit tag does the statement refer to?
The limit tag is described in Log.
The thing is that 'limit tag' term is not used in the description of the Log element. Please use the 'limit tag' term in the description of the Log element at least once. For consistency it'll also be a good idea to include that extra option in the description of the Action element, like this: accept | reject [type="reject type"] | drop [limit value="rate/duration"] For me this rises another question. What does it mean to limit, say, an accept action to once a day? Does it mean that only one connection attempt a day will be let through the firewall and all other attempts be dropped? Will they be dropped with a drop action? How about reject action (if once a day) -- will the first connection attempt be rejected with ICMP message and all other attempts be dropped? And for the drop action rate limiting will not change anything then. Please clarify.
Well, after some tests I see that what I suggested is not true. The 'limit tag' doesn't limit connection attempts. So what exactly does the limit tag do for the action? Please consider the following example and explain me the functional difference: firewall-cmd --add-rich-rule='rule family=ipv4 service name=http accept limit value=1/m' firewall-cmd --add-rich-rule='rule family=ipv4 service name=http accept'
Thank you, Rufe
On 10/06/2014 08:43 PM, Rufe Glick wrote:
>> 2. In the *Action *description the very last line says "Also an action >> can be limited using the /limit tag/." What limit tag does the statement >> refer to? > > > The limit tag is described in Log. The thing is that 'limit tag' term is not used in the description of the Log element. Please use the 'limit tag' term in the description of the Log element at least once. For consistency it'll also be a good idea to include that extra option in the description of the Action element, like this: accept | reject [type="reject type"] | drop [limit value="rate/duration"] For me this rises another question. What does it mean to limit, say, an accept action to once a day? Does it mean that only one connection attempt a day will be let through the firewall and all other attempts be dropped? Will they be dropped with a drop action? How about reject action (if once a day) -- will the first connection attempt be rejected with ICMP message and all other attempts be dropped? And for the drop action rate limiting will not change anything then. Please clarify.
Well, after some tests I see that what I suggested is not true. The 'limit tag' doesn't limit connection attempts. So what exactly does the limit tag do for the action? Please consider the following example and explain me the functional difference: firewall-cmd --add-rich-rule='rule family=ipv4 service name=http accept limit value=1/m' firewall-cmd --add-rich-rule='rule family=ipv4 service name=http accept'
The former one adds the following arguments to iptables call: -m limit --limit 1/min
iptables-extensions(8) says about 'limit' module: This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached. It can be used in combination with the LOG target to give limited logging, for example.
I understand it the same way as you, i.e. that only one new connection to http service would be allowed per minute. Once the limit is reached it'd behave like there was no such rule. What happens to other attempts depends on the zone's target so by default (public zone) they should be rejected with icmp-host-prohibited.
If it does not work that way then we are both wrong or it's a bug.
-- Jiri
firewalld-users@lists.fedorahosted.org