On Wednesday 05 November 2003 3:06 pm, tsh@xxxxxxxxxxxxxxxxx wrote:
> I was thinking about just this the other night, and is seems to me that
> such a rule should be rejecting stuff which exceeds the rate limit rather
> than accepting stuff which doesnt exceed it, since the -j ACCEPT will mean
> that any subsequent rules in a FORWARD table wont be tested.
>
> Something like
>
> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit ! limit
> 1/s -j DROP
Why do people want to ACCEPT any packets of this type at all? If a packet
is part of an ESTABLISHED connection then it is going to pass through your
FORWARD chain on the connection tracking rule; if a packet is not part of an
ESTABLISHED connection, then it's either a valid new connection (in which
case you ACCEPT it), or else it isn't (in which case you don't ACCEPT it).
I can't quite see why you would want to accept even a slow rate of such
packets.
Regards,
Antony.
--
This email is intended for the use of the individual addressee(s) named above
and may contain information that is confidential, privileged or unsuitable
for overly sensitive persons with low self-esteem, no sense of humour, or
irrational religious beliefs.
If you have received this email in error, you are required to shred it
immediately, add some nutmeg, three egg whites and a dessertspoonful of
caster sugar. Whisk until soft peaks form, then place in a warm oven for 40
minutes. Remove promptly and let stand for 2 hours before adding some
decorative kiwi fruit and cream. Then notify me immediately by return email
and eat the original message.
Please reply to the list;
please don't CC me.
