Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 36488

Summary: iptables seems to have changed --limit syntax
Product: [OLD] Docs-user Reporter: Adam Mondl (RETIRED) <tocharian>
Component: Gentoo Security GuideAssignee: Sven Vermeulen (RETIRED) <swift>
Status: RESOLVED WORKSFORME    
Severity: normal CC: docs-team, tocharian
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---

Description Adam Mondl (RETIRED) gentoo-dev 2003-12-25 10:54:39 UTC 
This bug is in regards to the iptables/firewall section of the Gentoo Security Guide.  In the firewall script in both the "Incoming Traffic" and the "Catch portscanners" section the syntax is used as follows:

--limit 1/second OR
--limit 5/minute

Using iptables v1.2.9 this does not work.  The syntax seems to have changed to:

--limit 1/sec OR
--limit 5/min

The following also works:

--limit 1/s OR
--limit 5/m

All instances where --limit is used should be changed (or noted not to work with newer versions of iptables).
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2003-12-25 11:00:25 UTC 
I'll hold this one until I'm sure this is a permanent change. The iptables documentation still mentions "second", "minute", etc.

http://www.iptables.org/documentation/HOWTO/packet-filtering-HOWTO.txt
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2003-12-28 12:25:05 UTC 
The man page still lists "/second" (in full). The mailinglists don't talk about any change regarding this. If iptables indeed fails recognising this atm, then this is a bug in iptables that will be fixed in a new version. However, I believe that there is no issue here.

Can you tell me a bit more about the error you receive when you run iptables with the full time?
Comment 3 Adam Mondl (RETIRED) gentoo-dev 2003-12-28 14:09:19 UTC 
Well I just tried it again and after a recent format (playing around with encryption) the problem has gone away.  It really did do that though, I believe I was talking to solar or someone in #gentoo-hardened and as soon as I changed it to "sec" from "second" it worked.  However now "second" works, so I don't know what happened.  I guess the bug can be closed as a freak incident :)
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2003-12-28 14:14:54 UTC 
Blame solar *cough* :-)