Quico/update-firewall-source
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

docs(xml): Give detailed example on how a hitcount rule manifests in ip(6)tables

Browse Source
This commit is contained in:
hygienic-books 2022-07-16 02:21:14 +02:00
parent 262e11ba7c
commit 62f44939d8
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
README.md
View File

@ -278,6 +278,21 @@ A custom `[section]` has the following options. We're calling them locals most o
Adding a `hitcount` will automatically add 2 `ip(6)tables` rules right before the actual rules. Rules follow the [iptables "recent" extension](https://ipset.netfilter.org/iptables-extensions.man.html#lbBW). The first rule does `--update`, the second one does `--set` followed by the rule you specified. Adding a `hitcount` will automatically add 2 `ip(6)tables` rules right before the actual rules. Rules follow the [iptables "recent" extension](https://ipset.netfilter.org/iptables-extensions.man.html#lbBW). The first rule does `--update`, the second one does `--set` followed by the rule you specified.
Given config section:
```
[anyone-may-access-mail-services]
ports = 143, 993, 110, 995, 25, 465, 587
hitcount = 120/60
```
UFS generates rules:
```
target prot opt in out source destination
DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 143,993,110,995,25,465,587 recent: UPDATE seconds: 60 hit_count: 120 name: anyone-may-access-mail-services side: source mask: 255.255.255.255
tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 143,993,110,995,25,465,587 recent: SET name: anyone-may-access-mail-services side: source mask: 255.255.255.255
ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 143,993,110,995,25,465,587 /* anyone-may-access-mail-services */
```
Where the first `DROP` target will drop packets that have exceeded their hit count; the second `recent: SET` simply marks all matching packets to be added into the hitcount bucket and the third on is the actual `ACCEPT` rule permitting access **_if_** a source's hitcount permits it.
* `do_ipv6`, __*optional*__, defaults to `false`: Decide if you want `firewalld` to generate `ip6tables` rules in addition to `iptables` rules. A default install of Docker Engine will have its IPv6 support disabled in `/etc/docker/daemon.json`. You may still want your machine to handle incoming IPv6 traffic. If your machine truly doesn't use IPv6 feel free to leave this at `false`. Otherwise `update-firewall-source.py` generates unused rules that clutter your rule set. * `do_ipv6`, __*optional*__, defaults to `false`: Decide if you want `firewalld` to generate `ip6tables` rules in addition to `iptables` rules. A default install of Docker Engine will have its IPv6 support disabled in `/etc/docker/daemon.json`. You may still want your machine to handle incoming IPv6 traffic. If your machine truly doesn't use IPv6 feel free to leave this at `false`. Otherwise `update-firewall-source.py` generates unused rules that clutter your rule set.
If this is `true` IPv6 addresses found or resolved in `addr` in a `[section]` will be discarded. If this is `true` IPv6 addresses found or resolved in `addr` in a `[section]` will be discarded.