BFW Firewall & Router

por **nachazo** » Qua Mai 03, 2006 1:09 pm

Hi every one i proud to anounce the conlimit add-on beta 4

here is the link:

http://www.ladelbarrio.com.ar/nachazo/c ... nlimit.tgz

In this beta I do a nice web interface and Esteban helps me to translate the config file.....

Please post your question here...

TO install just copy the add-on to the flopy and reboot your brazilfw...

You need advance route package to work properly...

Regards!!!

por **babayaga** » Qui Mai 04, 2006 1:35 pm

Hi,
I added it and put one rule to test.
First I try this:

conlimit 300 192.168.0.10 0.0.0.0 #
conlimit 300 0.0.0.0 192.168.0.10 #
filter_protocol edonkey #
filter_protocol bittorrent #

I've noticed that from time to time when check current connections it shows for 192.168.0.10 2000-3000 connections for a moment.

After that I tried this:

simple_conlimit 300 0.0.0.0 192.168.0.10 1000:65535
simple_conlimit 300 192.168.0.10 0.0.0.0 1000:65535

but no difference.

It actualy works but I can't explain this :roll:

por **nachazo** » Qui Mai 04, 2006 6:37 pm

hi babayaga !!!

Ensure that you have advance routing packege and l7filter...

Ensure too that you have the last l7filter... because some l7filter packages have patters errors and don´t macht edonkey and bitttorent traficc....

For last...

check the next :

diagnostic tools > Active Firewall Rules - mangle

then check this:

Código: Selecionar todos: Chain POSTROUTING (policy ACCEPT) target prot opt source destination Subnet_qos all -- 0.0.0.0/0 0.0.0.0/0 l7-filter all -- 0.0.0.0/0 0.0.0.0/0 DROP tcp -- 192.168.1.64 0.0.0.0 MARK match 0x100 #conn/32 > 300 DROP tcp -- 0.0.0.0 192.168.1.64 MARK match 0x100 #conn/32 > 300

and this:

Código: Selecionar todos: Chain l7-filter (1 references) MARK all -- 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto edonkey MARK set 0x100 MARK all -- 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto bittorent MARK set 0x100

Something more:

If you reload qos the conlimit rules will be erased....

And don´t forget start the script...

For simple conlimit it should work too... try this...

Código: Selecionar todos: simple conlimit 5 0.0.0.0 192.168.0.10 1:65535 simple conlimit 5 192.168.0.10 0.0.0.0 1:65535

try surf the web open msn and edonkey client.... tell me whats happend..

regards.

Pd: please tell me what hapend...

por **babayaga** » Qui Mai 04, 2006 6:46 pm

I've added the lastest packeges from the BFW 2.28 installation files.

This is with simple conlimit:

Código: Selecionar todos: Chain POSTROUTING (policy ACCEPT 18M packets, 8287M bytes) pkts bytes target prot opt in out source destination 18M 8287M Subnet_qos all -- * * 0.0.0.0/0 0.0.0.0/0 18M 8287M l7-filter all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP tcp -- * * 192.168.0.10 0.0.0.0 MARK match 0x100 #conn/32 > 300 0 0 DROP tcp -- * * 0.0.0.0 192.168.0.10 MARK match 0x100 #conn/32 > 300 0 0 DROP tcp -- * * 192.168.0.10 0.0.0.0 MARK match 0x100 #conn/32 > 300 0 0 DROP tcp -- * * 0.0.0.0 192.168.0.10 MARK match 0x100 #conn/32 > 300 0 0 DROP tcp -- * * 0.0.0.0 192.168.0.10 tcp dpts:1000:65535 #conn/32 > 300 0 0 DROP tcp -- * * 192.168.0.10 0.0.0.0 tcp dpts:1000:65535 #conn/32 > 300 0 0 DROP tcp -- * * 0.0.0.0 192.168.0.10 tcp dpts:1000:65535 #conn/32 > 300 0 0 DROP tcp -- * * 192.168.0.10 0.0.0.0 tcp dpts:1000:65535 #conn/32 > 300

Later after more testing I'll writh again

por **nachazo** » Qui Mai 04, 2006 7:11 pm

Here im seeying some trouble....

You have replicated the same rules all the times....

you need reboot then aply conlimit...

you should have only 4 rules...

0 0 DROP tcp -- * * 192.168.0.10 0.0.0.0 MARK match 0x100 #conn/32 > 300
0 0 DROP tcp -- * * 0.0.0.0 192.168.0.10 MARK match 0x100 #conn/32 > 300
0 0 DROP tcp -- * * 0.0.0.0 192.168.0.10 tcp dpts:1000:65535 #conn/32 > 300
0 0 DROP tcp -- * * 192.168.0.10 0.0.0.0 tcp dpts:1000:65535 #conn/32 > 300

if you have more than 4 you make and accidental mistake...

please reboot the bfw and start script...

and try what hapends with less connections...

regards....

por **nachazo** » Qui Mai 04, 2006 7:33 pm

Another tip....

Please refer to the client pc that you run edonkey or emule... because the conection check link is only for a reference...

this script do not shows the conections in real time...

For example....

for edonkey i have 160 conections.... but for show con script i have 569 :shock:

Regards...

por **babayaga** » Qui Mai 04, 2006 7:34 pm

When reboot I have only 2 rules:

0 0 DROP tcp -- * * 0.0.0.0 192.168.0.10 tcp dpts:1000:65535 #conn/32 > 300
0 0 DROP tcp -- * * 192.168.0.10 0.0.0.0 tcp dpts:1000:65535 #conn/32 > 300

Here im seeying some trouble....

You have replicated the same rules all the times....

This is hapaning when I reload QoS and than start conlimit.

Now I say "Good night" because it's 1.30 am :lol:

por **madoxx** » Seg Mai 08, 2006 2:57 pm

hm.. what its that?

Stoping conlimit: Configuring ...
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Bad rule (does a matching rule exist in that chain?)
iptables: Bad rule (does a matching rule exist in that chain?)

por **nachazo** » Seg Mai 08, 2006 3:04 pm

If you don´t have a rule in your system....

When you press stop... brazilfw shows a messege error....

because brazilfw is triying to delete a rule that not exist...

Don´t worry isn´t a problem....

regards.

por **eddy** » Ter Mai 09, 2006 8:59 pm

I saw that the connlimit package from nachazo works only when I write the IP adress/subnet. ex. 192.168.10.1/32 not only 192.168.10.1 or for all IP adresses 0.0.0.0/0 not only 0.0.0.0
Another problem is that connlimit stops if a command "reload firewall" is given.

por **babayaga** » Qua Mai 10, 2006 11:43 am

eddy escreveu:I saw that the connlimit package from nachazo works only when I write the IP adress/subnet. ex. 192.168.10.1/32 not only 192.168.10.1 or for all IP adresses 0.0.0.0/0 not only 0.0.0.0
Another problem is that connlimit stops if a command "reload firewall" is given.

Yes, you are right but I think it's only for simple connlimit. Filtered conlimit works fine without mask.
And there is anouther problem - for example I add simple rule for ftp:
Simple Conlimit 1 192.168.0.11/32 0.0.0.0/0 21
Simple Conlimit 1 0.0.0.0/0 192.168.0.11/32 21
I started a ftp download from a server and I can't run second download. That's good. But when I close the connection I still can't establish anouther connection, maybe until it's closed from the BFW.

por **nachazo** » Qua Mai 10, 2006 2:15 pm

Another problem is that connlimit stops if a command "reload firewall" is given.

No when you reload firewall the rules remain intact...

The problem comes when you reload qos...

Because qos reload flush all mangle table.... An conlimit rules are in the mangle table...

maybe in the future i will put a patch for this situation...

For simple conlimit i will test again the rules...

I started a ftp download from a server and I can't run second download. That's good. But when I close the connection I still can't establish anouther connection, maybe until it's closed from the BFW.

I think that is linux kernel fault.... Maybe you can increase the number of conections...

Thanks for your post you are helping a lot.

Regards.

por **babayaga** » Qua Mai 10, 2006 3:14 pm

nachazo escreveu:Maybe you can increase the number of conections...

I add only 1 conection only for the test :wink:

por **nachazo** » Dom Mai 14, 2006 12:32 am

The previus messege lost in the disk faillure....

Eddy says:

when you reload firewall all rules in l7filter chain dissapear...

then filtered conlimit rules don´t work properly....

I say:

I will fix it for beta 5...

regards.

por **eddy** » Dom Mai 14, 2006 11:17 am

Thank you, nachazo

por **nachazo** » Qui Mai 18, 2006 11:59 pm

New beta 5

http://www.ladelbarrio.com.ar/nachazo/c ... nlimit.tgz

please test it

and send me opinions, bugs, questions....

You are welcome to post...

Regards.

por **madoxx** » Sex Mai 19, 2006 10:58 am

this auto update, or maybe i must remove beta4?

por **nachazo** » Sex Mai 19, 2006 2:17 pm

You take care of config file....

save all conlimit rules to your computer.... deleted previus version.... and install the new one....

Then paste conlimit rules of your previus config file...

Regards.

por **eddy** » Sáb Mai 20, 2006 7:34 am

Hi nachazo,

There is a problem with connlimit beta 5.

Look at this, in beta 4 firewall - mangle:

Chain POSTROUTING (policy ACCEPT 425 packets, 124K bytes)
pkts bytes target prot opt in out source destination
425 124K Subnet_qos all -- * * 0.0.0.0/0 0.0.0.0/0
425 124K l7-filter all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 192.168.1.64 0.0.0.0 MARK match 0x100 #conn/32 > 300
0 0 DROP tcp -- * * 0.0.0.0 192.168.1.64 MARK match 0x100 #conn/32 > 300

Chain l7-filter (1 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto edonkey MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto directconnect MARK set 0x100

in beta 5 firewall - mangle:

Chain POSTROUTING (policy ACCEPT 350 packets, 105K bytes)
pkts bytes target prot opt in out source destination
350 105K Subnet_qos all -- * * 0.0.0.0/0 0.0.0.0/0
350 105K l7-filter all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 192.168.1.64 0.0.0.0 MARK match 0x100 #conn/32 > 300
0 0 DROP tcp -- * * 0.0.0.0 192.168.1.64 MARK match 0x100 #conn/32 > 300
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto edonkey MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto directconnect MARK set 0x100
0 0 DROP tcp -- * * 192.168.1.0/24 0.0.0.0 tcp dpt:64000 #conn/32 > 200

Chain l7-filter (1 references)
pkts bytes target prot opt in out source destination

You can see that the instructions from chain l7-filters goes in chain postrouting in the beta5 and the filtering does not work.

Regards.

por **nachazo** » Sáb Mai 20, 2006 9:08 pm

Ok...

But´s filtering works perfect in postrouting chain.....

If you visit the page of l7filter you can saw thats the autor recomend POSTROUTING CHAIN.... L7-FILTER CHAIN is a chain that´s creates brazilfw artificialy... you can see thats POSTROUTING CHAIN REDIRECT´S ALL TRAFIC to L7FILTER CHAIN.

This happends because when you reload firewall rules needs to flush mangle table... if you flush POSTROUTING CHAIN when you reload firewall your QOS rules will be deleted....

With this modification i preserve rules when you reload firewall...

In beta 6 it´s posible that´s i create a CHAIN for CONLIMIT but is in test now...

I FOUND A BUG!

don´t use in filter conlimit rules simple port option it´s don´t work...

Use por_dest and port_source....

Another tip simple conlimit dont works if you put netmask...
I do a few test and the results are concluyent... only put de ip wihtout netmask....

Regards.

por **madoxx** » Dom Mai 21, 2006 2:22 pm

for me its dosent work, how check did i have advance routing packege? and if i dont have, from where i can download .?

por **nachazo** » Dom Mai 21, 2006 5:31 pm

Advance route package is in the windows wizard.

beta 5 have 2 bugs... i will fix the rpoblem this week

Regards.

por **Eduardo** » Sex Jun 02, 2006 4:15 pm

I didn´t understand very well how it works.. I put some rules in the configuration file and i don´t know if its working.. where can i see in emule the number of connections i´m using?

Can you tell me if it´s working?

=========================================

conlimit 10 192.168.0.3 0.0.0.0 #
conlimit 10 0.0.0.0 192.168.0.3 #
conlimit 10 192.168.0.4 0.0.0.0 #
conlimit 10 0.0.0.0 192.168.0.4 #
conlimit 10 192.168.0.5 0.0.0.0 #
conlimit 10 0.0.0.0 192.168.0.5 #
conlimit 10 192.168.0.6 0.0.0.0 #
conlimit 10 0.0.0.0 192.168.0.6 #
conlimit 10 192.168.0.7 0.0.0.0 #
conlimit 10 0.0.0.0 192.168.0.7 #
conlimit 10 192.168.0.8 0.0.0.0 #
conlimit 10 0.0.0.0 192.168.0.8 #
conlimit 10 192.168.0.9 0.0.0.0 #
conlimit 10 0.0.0.0 192.168.0.9 #
conlimit 10 192.168.0.10 0.0.0.0 #
conlimit 10 0.0.0.0 192.168.0.10 #
conlimit 10 192.168.0.11 0.0.0.0 #
conlimit 10 0.0.0.0 192.168.0.11 #
conlimit 10 192.168.0.12 0.0.0.0 #
conlimit 10 0.0.0.0 192.168.0.12 #
filter_protocol edonkey #
filter_protocol ares #
filter_protocol directconnect #
filter_protocol bittorrent #
filter_protocol gnutella #
filter_protocol napster #
filter_protocol irc #

=====================================

***************************************************************************
Showing conections
***************************************************************************

5 192.168.0.1
22 192.168.0.12
572 192.168.0.2
4 192.168.0.255
3 192.168.0.5
2 192.168.0.9

============================================

Chain PREROUTING (policy ACCEPT 147K packets, 39M bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 5674 packets, 625K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 141K packets, 38M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 4197 packets, 1763K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 146K packets, 40M bytes)
pkts bytes target prot opt in out source destination
146K 40M Subnet_qos all -- * * 0.0.0.0/0 0.0.0.0/0
146K 40M l7-filter all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 192.168.0.2 0.0.0.0 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 0.0.0.0 192.168.0.2 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 192.168.0.2 0.0.0.0 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 0.0.0.0 192.168.0.2 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 192.168.0.3 0.0.0.0 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 0.0.0.0 192.168.0.3 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 192.168.0.4 0.0.0.0 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 0.0.0.0 192.168.0.4 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 192.168.0.5 0.0.0.0 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 0.0.0.0 192.168.0.5 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 192.168.0.6 0.0.0.0 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 0.0.0.0 192.168.0.6 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 192.168.0.7 0.0.0.0 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 0.0.0.0 192.168.0.7 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 192.168.0.8 0.0.0.0 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 0.0.0.0 192.168.0.8 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 192.168.0.9 0.0.0.0 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 0.0.0.0 192.168.0.9 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 192.168.0.10 0.0.0.0 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 0.0.0.0 192.168.0.10 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 192.168.0.11 0.0.0.0 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 0.0.0.0 192.168.0.11 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 192.168.0.12 0.0.0.0 MARK match 0x100 #conn/32 > 10
0 0 DROP tcp -- * * 0.0.0.0 192.168.0.12 MARK match 0x100 #conn/32 > 10

Chain Subnet_qos (1 references)
pkts bytes target prot opt in out source destination

Chain l7-filter (1 references)
pkts bytes target prot opt in out source destination
19718 8616K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto edonkey MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto directconnect MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto bittorrent MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto gnutella MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto napster MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto irc MARK set 0x100
16733 7214K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto edonkey MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto directconnect MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto bittorrent MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto gnutella MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto napster MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto irc MARK set 0x100

===================================================

Thanks

por **nachazo** » Sáb Jun 03, 2006 7:34 am

Your configuration is ok... and your rules are ok too...

Don´t pay much attention to show con script.... It´s only for give to you an idea of the current conecctions... But is not real time that you see... And if you use only l7 filters, they are not very accurrete matching packets...

I recomend to you that you include default p2p ports (4662 edonkey)...

The best way to test conlimit is using a p2p client and looking current conections in statics section...

Regards.

por **Eduardo** » Sáb Jun 03, 2006 12:59 pm

but the line "filter_protocol edonkey #" doesn´t resolves this problem about edonkey´s port?
so what should i do to limit all types of p2p connections?
i looked at current connections at emule and it seems that the addon is not working correctly with me

por **nachazo** » Sáb Jun 03, 2006 6:18 pm

Hi eduardo...

Yes filter_protocol resolves the problem but not the entire problem..... Becuase l7 filter is not a presision tool...

l7 filter is better than nothing... but is not a holy grail....

For more info about l7 patterns visit the autors website....

For your porblem....

I invite to you that you post a edonkey or emule print screen of your conections, and a edonkey or emule print screen of your configuration....

Regards.

Regards.

por **madoxx** » Sáb Jun 03, 2006 10:12 pm

ok I try many solution, but for me it's not work.
First i do clear new BFW boot disk with l7 filter and Advenced Router Option,
after i use add-ons Conlimit l7 beta5.

++1++.

I use filter Rule
5 UP, 5 Down ip: 192.168.0.2
l7: edonkey, http.

reload 2 times, and after this nothing,

my POSTROUTING

Código: Selecionar todos: Chain POSTROUTING (policy ACCEPT 6755 packets, 2587K bytes) pkts bytes target prot opt in out source destination 6755 2587K Subnet_qos all -- * * 0.0.0.0/0 0.0.0.0/0 6755 2587K l7-filter all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto edonkey MARK set 0x100 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0x100 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto directconnect MARK set 0x100 0 0 DROP tcp -- * * 192.168.1.0/24 0.0.0.0 tcp dpt:64000 #conn/32 > 200 9 4895 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto http MARK set 0x100 0 0 DROP tcp -- * * 192.168.0.2 0.0.0.0 MARK match 0x100 #conn/32 > 5 0 0 DROP tcp -- * * 0.0.0.0 192.168.0.2 MARK match 0x100 #conn/32 > 5

Chain l7-filter (1 references) its empty.

After, im save restart (after reboot POSTROUTING its empty)reload 2 times and nothing.

++2++

I use simple Rule
5 UP, 5 Down ip: 192.168.0.2/24
port range: 1-65535

reload 2 times, and after this nothing,

Código: Selecionar todos: Chain POSTROUTING (policy ACCEPT 581 packets, 194K bytes) pkts bytes target prot opt in out source destination 581 194K Subnet_qos all -- * * 0.0.0.0/0 0.0.0.0/0 581 194K l7-filter all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP tcp -- * * 192.168.0.0/24 0.0.0.0 tcp dpts:1:65535 #conn/32 > 5 0 0 DROP tcp -- * * 0.0.0.0 192.168.0.0/24 tcp dpts:1:65535 #conn/32 > 5

im save restart (after reboot POSTROUTING its empty)reload 2 times and nothing.

++3++

I use simple Rule
5 UP, 5 Down ip: 192.168.0.2(dont use mask)
port range: 1-65535

reload 2 times, and after this nothing,

Código: Selecionar todos: Chain POSTROUTING (policy ACCEPT 1490 packets, 384K bytes) pkts bytes target prot opt in out source destination 1490 384K Subnet_qos all -- * * 0.0.0.0/0 0.0.0.0/0 1490 384K l7-filter all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP tcp -- * * 192.168.0.2 0.0.0.0 tcp dpts:1:65535 #conn/32 > 5 0 0 DROP tcp -- * * 0.0.0.0 192.168.0.2 tcp dpts:1:65535 #conn/32 > 5

im save restart (after reboot POSTROUTING its empty)reload 2 times and nothing.

por **nachazo** » Dom Jun 04, 2006 8:11 pm

ok... beta 5 has 2 importants bugs....

I still working to fix them in beta 6....

Please remove beta 5 and try beta 4....

regards.

por **madoxx** » Seg Jun 05, 2006 8:47 am

ok remove beta 5, and install beta4

i have something like that:

Código: Selecionar todos: Chain POSTROUTING (policy ACCEPT) target prot opt source destination Subnet_qos all -- 0.0.0.0/0 0.0.0.0/0 l7-filter all -- 0.0.0.0/0 0.0.0.0/0 DROP tcp -- 0.0.0.0 192.168.0.2 MARK match 0x100 #conn/32 > 5 DROP tcp -- 192.168.0.2 0.0.0.0 MARK match 0x100 #conn/32 > 5 DROP tcp -- 0.0.0.0 192.168.0.0/24 tcp dpt:80 #conn/32 > 2 DROP tcp -- 192.168.0.0/24 0.0.0.0 tcp dpt:80 #conn/32 > 2 DROP tcp -- 0.0.0.0 192.168.0.2 tcp dpt:80 #conn/32 > 2 DROP tcp -- 192.168.0.2 0.0.0.0 tcp dpt:80 #conn/32 > 2 Chain Subnet_qos (1 references) target prot opt source destination Chain l7-filter (1 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto fasttrack MARK all -- 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto edonkey MARK set 0x100 MARK all -- 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0x100 MARK all -- 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto directconnect MARK set 0x100 MARK all -- 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto http MARK set 0x100

but still

Código: Selecionar todos: 553 192.168.0.2

por **nachazo** » Seg Jun 05, 2006 11:02 am

show con script isn´t a realtime tool....

please refer to edonkey client...

in simple conlimit rule don´t use netmask at the end of the address...

please post your config file for a better analisys of your config...

regards.

por **madoxx** » Seg Jun 05, 2006 11:22 am

Ok i remove all rules, and bulid one simple rule

cut from my config :

Código: Selecionar todos: # --------------------------------------------------------------------------- # # NEW COMMAND # # Recommended for old Pentium processors # # Example 1: limit to 500 connections the port range 64000-65535 for all ips # simple_conlimit 500 0.0.0.0 0.0.0.0 64000:65535 # # Example 2: limit to 100 connections port 4662 (emule) for the destination # ip 192.168.1.48 # simple_conlimit 100 0.0.0.0 192.168.1.48 4662 # ############################################################################### simple_conlimit 2 0.0.0.0 192.168.0.2 80 #

so i understand that, i can open only 2 site.
but real i can open much more.

por **nachazo** » Seg Jun 05, 2006 3:17 pm

try this...

simple_conlimit 1 0.0.0.0 192.168.0.2 80 #
simple_conlimit 1 192.168.0.2 0.0.0.0 80 #

In theory you can only see 1 site per time...

Regards.

por **madoxx** » Seg Jun 05, 2006 4:30 pm

hmm... stil nothing.. i can open more then 1 site.

im try in custom firewall

iptables -t mangle -A POSTROUTING -p tcp -s 192.168.0.2 -m connlimit --connlimit-above 50 -j DROP

and its Ok, I run edonkey have much then 50 conection, and i cant open WWW.

but your conlimit dont wanna work, and i dont know why.

por **kania** » Seg Jun 05, 2006 5:08 pm

madoxx escreveu:I run edonkey have much then 50 conection, and i cant open WWW.

When you use HTTP, connection is estabilished on short time, and then You can view more than one page, because web browser connects and disconnects all the time.
When You use edonkey or other p2p then connection is estabilished for longer time, and then server can count them and limit.

por **nachazo** » Seg Jun 05, 2006 6:39 pm

thanks madox for the direct hit answer...8)

regards.

por **prezd** » Ter Jun 20, 2006 5:59 pm

http://www.ladelbarrio.com.ar/nachazo/c ... nlimit.tgz

The page cannot be displayed.

I need to connlimit bittorent trafic to some ipz.
do you have some documentation?

por **nachazo** » Ter Jun 20, 2006 7:25 pm

we have temporaly problems with that page...

but now is working perfect...

You have a complete manual in config file of conlimit...

regards.

por **needmaster** » Seg Jun 26, 2006 7:12 am

HI nachazo
your beta connlimit is good.

I test my bash file success too.

I test BT of P2P and open IE.
if BT session above 100 than do'nt open brower web site.

iptables -t mangle -I PREROUTING -p tcp --dport 0:65535 -s 192.168.0.2 -m connlimit --connlimit-above 100 -j DROP

por **nachazo** » Seg Jun 26, 2006 1:54 pm

thantk´s i hope that you get that you need with conlimit add-on.

i open for critics...

regards.

por **dido** » Sex Set 08, 2006 11:15 pm

hi
my conf is :

conlimit 50 192.168.1.20 0.0.0.0 #
conlimit 50 0.0.0.0 192.168.1.20 #
filter_protocol edonkey #
filter_protocol ares #
filter_protocol directconnect #
filter_protocol bittorrent #

Chain POSTROUTING (policy ACCEPT 5484K packets, 2059M bytes)
pkts bytes target prot opt in out source destination
5484K 2059M Subnet_qos all -- * * 0.0.0.0/0 0.0.0.0/0
5484K 2059M l7-filter all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 192.168.1.64 0.0.0.0 MARK match 0x100 #conn/32 > 50
0 0 DROP tcp -- * * 0.0.0.0 192.168.1.64 MARK match 0x100 #conn/32 > 50
0 0 DROP tcp -- * * 192.168.1.20 0.0.0.0 MARK match 0x100 #conn/32 > 50
0 0 DROP tcp -- * * 0.0.0.0 192.168.1.20 MARK match 0x100 #conn/32 > 50
0 0 DROP tcp -- * * 192.168.1.20 0.0.0.0 MARK match 0x100 #conn/32 > 50
0 0 DROP tcp -- * * 0.0.0.0 192.168.1.20 MARK match 0x100 #conn/32 > 50
0 0 DROP tcp -- * * 192.168.1.20 0.0.0.0 MARK match 0x100 #conn/32 > 50
0 0 DROP tcp -- * * 0.0.0.0 192.168.1.20 MARK match 0x100 #conn/32 > 50

Chain l7-filter (1 references)
pkts bytes target prot opt in out source destination
514 147K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto edonkey MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0x100
1248 141K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto directconnect MARK set 0x100
185K 36M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto bittorrent MARK set 0x100
467 127K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto edonkey MARK set 0x100
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto ares MARK set 0x100
1232 139K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto directconnect MARK set 0x100
185K 36M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 LAYER7 l7proto bittorrent MARK set 0x100

I have TCP Connections: 495 peers on my torrent client , could You tell me why ? when i want only 50 ...
I have QOS Layer7 and advance route package

BFW Firewall & Router

Conlimit add-on BETA available for download!!! [INACTIVE]

Conlimit add-on BETA available for download!!!

Quem está online