I am trying to create a zone in which I forward 3 ports to one other and at the same time need to apply a rate limit. The obvious would probably be rich rules, but they do not allow port-forward AND an action.
I have tried to combine forward-ports with a rich rule for the rate limit. But in this case the rich rule seems not to be executed.
10-default-limit
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports: 2022/tcp 3022/tcp 4022/tcp 8022/tcp
protocols:
forward: no
masquerade: no
forward-ports:
port=2022:proto=tcp:toport=8022:toaddr=
port=3022:proto=tcp:toport=8022:toaddr=
port=4022:proto=tcp:toport=8022:toaddr=
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" port port="2022" protocol="tcp" log prefix="*** DEFAULT LIMITED - PORT 2022 MAPPED TO PORT 8022 *** " level="info" accept limit value="3/m"
rule family="ipv4" port port="3022" protocol="tcp" log prefix="*** DEFAULT LIMITED - PORT 3022 MAPPED TO PORT 8022 *** " level="info" accept limit value="3/m"
rule family="ipv4" port port="4022" protocol="tcp" log prefix="*** DEFAULT LIMITED - PORT 4022 MAPPED TO PORT 8022 *** " level="info" accept limit value="3/m"
rule family="ipv4" port port="8022" protocol="tcp" log prefix="*** DEFAULT LIMITED - PORT 8022 *** " level="info" accept limit value="3/m"
It does the port-forward but does not apply the rate limit (and also no log entry is written)
I was also tempted to try with Zone Drifting, but as I have multiple zones chained it gets pretty unpredictable and also is not a recommended approach...
Is this combination possible at all? Any hint is much appreciated!
