search

debops / ansible-ferm

Manage iptables firewall using ferm
GNU General Public License v3.0
32 stars 20 forks source link

Fix for accept template. Fix hashlimit default #110

Closed Ray76 closed 7 years ago

Ray76 commented 7 years ago

Rules destination rules now created with accept template. The haslimit default leads to an error on most recent versions, tested with debian strech, recent iptables(v1.6.0)/kernel(4.9.2-2). This leads to ferm failing with dmesg messge: overflow, try lower: 25000/20. see http://lxr.free-electrons.com/source/net/netfilter/xt_hashlimit.c.

Sorry for the same commit message the second one should be: fixed default, breaks with recent iptables(v1.6.0)/kernel(4.9.2-2). error xt_hashlimit: overflow, try lower: 25000/20

drybjed commented 7 years ago

Sounds good for the daddr parameter.

Can you explain your hashlimit change? From what you quote it would seem that the value of 20 should be fine on Stretch? I haven't tested the role yet on newest release.

Ray76 commented 7 years ago

From what I read here http://www.iptables.info/en/iptables-matches.html#HASHLIMITMATCH section --hashlimit-burst, it says "This match is the same as the --limit-burst in that it sets the maximum size of the bucket. Each bucket will have a burst limit, which is the maximum amount of packets that can be matched during a single time unit. For an example on how a token bucket works, take a look at the Limit match."

Meaning it would not make sense having the burst being smaller as the average fill for the bucket, at least thats how I understand it. I have the default setting running on some hosts that works without a problem, I experienced the fail on the recent box only. So I'm guessing maybe they changed the behavior or they check for sanity now.

Ray76 commented 7 years ago

we could also add it to 50 to allow a burst but I thought you'd better decide that :)

Am 07.02.2017 19:56 schrieb "Maciej Delmanowski" notifications@github.com:

@drybjed approved this pull request.

Very well, let's go with this syn burst change. I imagine that this might be fine tuned in the future if needed.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/debops/ansible-ferm/pull/110#pullrequestreview-20589248, or mute the thread https://github.com/notifications/unsubscribe-auth/AWMRVY1NSgxa72gtYIQYPDL8RDieTdeaks5raL5ngaJpZM4L529K .