On Fri, 5 Nov 2004, George Georgalis wrote:
and for anybody who is interested, I've found the limit function works well to manage logging and types of deny. -m limit --limit-burst 50 --limit 1/s At the end of my "NEW ACCEPT" set, I call a chain that, within the limit, logs and rejects remaining connections, beyond the limit it returns. the next two rules log some (with limit again) of the remaining connections and drops them all. The setup gives a balance between the problems of logging and rejecting everything bad and just dropping everything bad.
Doesn't that open the possibility for a DOS, simply by sending a stream of new attempted connections to your computers? Then this would continuously saturate the rate of new attempted connections, and your legitimate connections would be virtually impossible. Or is the netfilter limit code as smart as to use separate limits to separate source IP numbers?
bye Giacomo -- _________________________________________________________________ Giacomo Mulas <gmulas@ca.astro.it> _________________________________________________________________ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _________________________________________________________________ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _________________________________________________________________