On Wed, 2004-01-28 at 12:08, Axel Heinrici wrote: > Hi > > On Wednesday 28 January 2004 09:14, Ray Leach wrote: > > > > You can use the limit support to limit packet rates: > > > > ### syn-flood chain > > $IPTABLES -N syn-flood > > $IPTABLES -A syn-flood -i $IFACE_INET -m limit --limit 75/s > > --limit-burst 100 -j RETURN > > $IPTABLES -A syn-flood -i $IFACE_DMZ -m limit --limit 75/s > > --limit-burst 100 -j RETURN > > $IPTABLES -A syn-flood -i $IFACE_INT -j RETURN > > $IPTABLES -A syn-flood -j LOG --log-prefix "SYN-FLOOD: " > > $IPTABLES -A syn-flood -j DROP > > > > $IPTABLES -A INPUT -i $IFACE_INT -p tcp --syn -j syn-flood > > $IPTABLES -A INPUT -i $IFACE_DMZ -p tcp --syn -j syn-flood > > $IPTABLES -A INPUT -i $IFACE_INET -p tcp --syn -j syn-flood > > > I have a questions on this. As I interpret the rules any packet with is > not catched by the two limit-rules is targeted to LOG. > Due to the huge number of possible SYN-Packets in a dos-attack this does > not seem useful to me. Shouldn't there be a "-m --limit > 10/minute" in the log-rule? The LOG rule is so I can trace where the DOS came from. The limit of 75/s is assuming that our 512K line is capable of receiving that many packets per second (if it isn't, then we better start looking for new hardware). > > with kind regards > Axel -- -- Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
Attachment:
signature.asc
Description: This is a digitally signed message part
