Ubuntu
ufw package

Rate limit setting not honoured?

Asked by Roland Giesler

The default rate limit is automatically inserted when I start ufw on Trusty. I use gufw to add rules and have enabled in and out traffic blocking. However, the 3/min rate limiting somehow kicks in when I use a magento server admin interface resulting in responses to page load requests that take 10-20 seconds to load.

I have changed the contents of /etc/ufw/before.rules to have :

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 1/s --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

The original was "--limit 3/min".

When I list the iptables after restarting ufw I still get:

Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

<snip>

Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

<snip>

Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 1/sec burst 10
DROP all -- anywhere anywhere

<snip>

Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

As can be seen above, there is only one rule (ufw-logging-deny-all) that honours the "1/sec" change. Where do I make the changes to effect the other rules?

If I can't change this, then how can I disable the rate limiting altogether?

Thanks

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu ufw Edit question
Assignee:
No assignee Edit question
Solved by:
Roland Giesler
Solved:
Last query:
Last reply:
Revision history for this message
Roland Giesler (lifeboy) said : 		#1

Ah! After finding the manpage for ufw-framework, I found /lib/ufw/user.rules and lo and behold, in there are the rules I was looking for!

Revision history for this message
Roland Giesler (lifeboy) said : 		#2

Further to this: Commenting out the rate limiting section disables the automatic rate limiting rules that are created.

Is there maybe an option or command that can be given to do this without editing this file?