easy jungs, no need to argue
i like the idea to let UCI generate all the "boring" stuff and add some special cases in firewall.user. you can of course write your own set of firewall rules if you want, that's the advantage of an open system. for building your own set i recommend firewallbuilder.org, great tool and it knows openwrt vim is the other alternative
back to topic: i solved the problem, was my own stupid mistake. i put the rules in the wrong chain, i should've used FORWARD because the port will be forwarded to the internal lan.
this works:
iptables -N ssh_flood
iptables -A ssh_flood -p tcp -m recent --name SSH --update --seconds 300 --hitcount 1 -j TARPIT
iptables -A ssh_flood -p tcp -m recent --name SSH --set -m state --state NEW
iptables -I zone_wan_forward -p tcp -m tcp --dport 22 -j ssh_flood
one thing i dislike is the way Luci organizes the rules if you have dualstack. ipv6 for instance has icmp packet-too-big with no counter-part in ipv4. i think two separate rule sections would be better, so that every section can provide specific options for ipv4 or ipv6. but that's just my personal taste.
thanks to both of you.
-p
(Last edited by pharaoh on 13 Aug 2011, 21:00)