On Tuesday 15 October 2002 10:21 pm, Svein E. Seldal wrote: > Hello, > > The root of my problem was this: > > [0:0] -A SYNFLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN > > [0:0] -A SYNFLOOD -j DROP > > [0:0] -A CHECK -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j SYNFLOOD > > When the HTTP/FTP-clients etc. spawned several connections (in this case > >4) to download files, the router blocked them. > > I guess that it adds protection to keep the SYNFLOOD check there. What > are sensible values to use on -m limit, making it work for flooding, yet > not stopping normal clients? I would suggest that 10 connections within one second is reasonable for a normal client. However 30 connections within 3 seconds would seem excessive. 50 concurrent connections within any period of time from one client to one server seems unnecessary. It would be nice if there were a way in netfilter to limit the number of half-open connections to/from a given machine - then you could accept all the SYNs you liked, so long as they were followed by SYN-ACK and ACK, but SYNs without a SYN-ACK, or SYN-ACKs without an answering ACK, would get blocked. Antony. -- Abandon hope, all ye who enter here. You'll feel much better about things once you do.
