ConfigServer Community Forum

Hi,
there is an issue with CONNLIMIT and PS_LIMIT.

I have set:
CONNLIMIT = 80;20,2095;10

and under PORT SCAN TRACKING:
PS_LIMIT = 10

But blocks for CONNLIMIT are done at 10 and not at 20 on port 80 as specified, this is what LFD reports:

Time: Mon Apr 21 12:12:15 2014 -0500
IP: xx.xx.xx.xx (xx)
Hits: 11
Blocked: Temporary Block

Sample of block hits:
Apr 21 12:11:58 server1 kernel: Firewall: *ConnLimit* IN=eth1 OUT= MAC=xx.xx.xx.xx SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=48773 PROTO=TCP SPT=15761 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

Apr 21 12:11:58 server1 kernel: Firewall: *ConnLimit* IN=eth1 OUT= MAC=xx.xx.xx.xx SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=48773 PROTO=TCP SPT=15761 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

Apr 21 12:11:59 server1 kernel: Firewall: *ConnLimit* IN=eth1 OUT= MAC=xx.xx.xx.xx SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=48773 PROTO=TCP SPT=15761 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

and so on...

Regards,

Sergio

That is to be expected. You should remove port 80 from PS_PORTS if you do not want CONNLIMIT triggers to affect PS_LIMIT.

Thanks for answering back, just a doubt?

Why is marked as *ConnLimit* instead of *TCP_IN Blocked*?

This is a regular PORT SCAN block:
Apr 21 12:04:39 atitlan kernel: Firewall: *TCP_IN Blocked* IN=eth1 OUT= MAC=xx.xx.xx.xx SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=14655 DF PROTO=TCP SPT=34784 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

I have set the following:
PS_PORTS = 0:79,81:65535,ICMP

That is because CONNLIMIT entries are only made in iptables after the limit has been reached. So you're seeing the 20 CONNLIMIT connection limit being exceeded 10 times which is why PS_LIMIT was being triggered.

got it!

Thanks for explaining.

Regards,

Sergio