06-23-2014
Got it... But unless I'm missing something, once an IP is on your firewall's block list any packets received will be ignored. So the only "SYN_SENT" connections will be the ones setup before the firewall rule was added. Are those sticking around long enough to cause a problem? Since it's a fixed number can't you just leave them to timeout on their own?
Maybe there are PF rules (I'm not familiar with that package) that would implement the maximum connection per-IP logic you want. Meaning, can you add broad rule that won't allow any untrusted IP to have more than 70 connections at once?
Then you wouldn't need to kill the ones that do manage to get through before the firewall kicks in.
Also, does PF have a way to show the current list of blocked IP's? If so then you do need to kill processes that managed to get setup, you could run that PF command to generate a list of bad IP's, then use something like "lsof" to find all the open sockets connected to that IP then kill those processes. I think it might be simpler than figuring out which IP's to target by counting the number of connections each one has.
5 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
Hi guys
I have a shell script that executes sql statemets and sends the output to a file.the script takes in parameters executes sql and sends the result to an output file.
#!/bin/sh
echo " $2 $3 $4 $5 $6 $7
isql -w400 -U$2 -S$5 -P$3 << xxx
use $4
go
print"**Changes to the table... (0 Replies)
Discussion started by: magikminox
0 Replies
2. Shell Programming and Scripting
I am using blow script :--
#!/bin/bash
FIND=$(ps -elf | grep "snmp_trap.sh" | grep -v grep) #check snmp_trap.sh is running or not
if
then
# echo "process found"
exit 0;
else
echo "process not found"
exec /home/Ketan_r /snmp_trap.sh 2>&1 & disown -h ... (1 Reply)
Discussion started by: ketanraut
1 Replies
3. UNIX for Dummies Questions & Answers
I am trying to call a script(callingscript.sh) from a master script(masterscript.sh) to get string type value from calling script to master script. I have used scripts mentioned below.
#masterscript.sh
./callingscript.sh
echo $fileExist
#callingscript.sh
echo "The script is called"... (2 Replies)
Discussion started by: Raj Roy
2 Replies
4. Shell Programming and Scripting
Hello all,
I am facing a weird issue while executing a code below -
#!/bin/bash
cd /wload/baot/home/baotasa0/sandboxes_finance/ext_ukba_bde/pset
sh UKBA_publish.sh UKBA 28082015 3
if
then
echo "Param file conversion for all the areas are completed, please check in your home directory"... (2 Replies)
Discussion started by: ektubbe
2 Replies
5. Shell Programming and Scripting
I'm new to utilities like socat and netcat and I'm not clear if they will do what I need.
I have a "compileDeployStartWebServer.sh" script and a "StartBrowser.sh" script that are started by emacs/elisp at the same time in two different processes.
I'm using Cygwin bash on Windows 10.
My... (3 Replies)
Discussion started by: siegfried
3 Replies
LEARN ABOUT CENTOS
firewalld.conf
FIREWALLD.CONF(5) firewalld.conf FIREWALLD.CONF(5)
NAME
firewalld.conf - firewalld configuration file
SYNOPSIS
/etc/firewalld/firewalld.conf
DESCRIPTION
firewalld.conf is loaded by firewalld during the initialization process. The file contains the basic configuration options for firewalld.
OPTIONS
These are the options that can be set in the config file:
DefaultZone
This sets the default zone for connections or interfaces if the zone is not selected or specified by NetworkManager, initscripts or
command line tool. The default zone is public.
MinimalMark
For some firewall settings several rules are needed in different tables to be able to handle packets in the correct way. To achieve
that these packets are marked using the MARK target iptables(8) and ip6tables(8). With the MinimalMark option a block of marks can be
reserved for private use; only marks over this value are used. The default MinimalMark value is 100.
CleanupOnExit
If firewalld stops, it cleans up all firewall rules. Setting this option to no or false leaves the current firewall rules untouched.
The default value is yes or true.
Lockdown
If this option is enabled, firewall changes with the D-Bus interface will be limited to applications that are listed in the lockdown
whitelist (see firewalld.lockdownwhitelist(5)). The default value is no or false.
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.direct(5), firewalld.icmptype(5),
firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5),
firewalld.zones(5)
NOTES
firewalld home page at fedorahosted.org:
http://fedorahosted.org/firewalld/
More documentation with examples:
http://fedoraproject.org/wiki/FirewallD
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
firewalld 0.3.9 FIREWALLD.CONF(5)