hi, my iptables config can be reduced to the following example, which
let's ssh pass and drops everything else.
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j LOG
this works perfectly as i want it, but every now and then, i get
portscanned, and my kern.log grows like 14Mb in size because of that
LOG rule.
using the limitig features of iptables, i can say
iptables -A INPUT -j LOG -m limit --limit 5/minute --limit-burst 5
to make it show a max. of 5/minute with an initial burst of 5.
however, this way, a lot of information will be lost. granted,
portscans can only be limited that way, but i am wondering if there's
a method to limit logs for a specific type of package (i.e. same
destination socket) only? like commercial products (e.g. FW-1) do. any
clues?
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
"may your future be limited only by your dreams."
-- christa mcauliffe
Attachment:
pgpMaqQirmEA7.pgp
Description: PGP signature