On Fri, 5 Nov 2004, George Georgalis wrote:
and for anybody who is interested, I've found the limit function works well to manage logging and types of deny. -m limit --limit-burst 50 --limit 1/s At the end of my "NEW ACCEPT" set, I call a chain that, within the limit, logs and rejects remaining connections, beyond the limit it returns. the next two rules log some (with limit again) of the remaining connections and drops them all. The setup gives a balance between the problems of logging and rejecting everything bad and just dropping everything bad.
Doesn't that open the possibility for a DOS, simply by sending a stream of new attempted connections to your computers? Then this would continuously saturate the rate of new attempted connections, and your legitimate connections would be virtually impossible. Or is the netfilter limit code as smart as to use separate limits to separate source IP numbers?
bye
Giacomo
--
_________________________________________________________________
Giacomo Mulas <gmulas@ca.astro.it>
_________________________________________________________________
OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)
Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222
Tel. (UNICA): +39 070 675 4916
_________________________________________________________________
"When the storms are raging around you, stay right where you are"
(Freddy Mercury)
_________________________________________________________________