I have a rule to add addresses to an ipset defined: ipset -exist create IpPort3600 hash:ip,port timeout 3600 ipset -exist create IpOneDay hash:ip timeout 86400
in /etc/shorewall/rules: ADD(+IpPort3600:src,dst):notice:ADD,IpPort3600 inet fw tcp,udp domain ADD(+IpOneDay:src):info:ADD,IpOneDay inet fw tcp mysql My suggestion is to allow ADD to specify a timeout value: ADD(+IpPort3600:src,dst,@600):notice:ADD,IpPort3600 inet fw tcp,udp domain and thus set a 10 minute timeout(600) instead of the default one hour timeout(3600). Also: ADD(+IpOneDay:src,@14400):info:ADD,IpOneDay,14400 inet fw tcp mysql [0:root@elmo shorewall]$ rpm -q shorewall shorewall-4.6.11.1-2.fc22.noarch The 3600 in the name reminds me that the timeout is 3600. If I could specify the timeout in the rule ADD I would rename that ipset and could vary the timeout in the rules: ADD(+IpPort:src,dst,600):notice:ADD,IpPort,600 inet fw tcp,udp domain And rename IpOneDay to Ip: ADD(+Ip:src,@14400):info:ADD,Ip,14400 inet fw tcp mysql ADD(+Ip:src,@86400):info:ADD,Ip,86400 inet fw tcp ssh Bill PS. Many thanks to Tom et. al. for Shorewall. ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
