Limited maximum connections and a simple accept established help, but we need more. Currently looking into modify the set patch to handle this large number. If not iptables then openbsd pf.
that's why you are looking into ipset....i asked a similar question a while ago...need to check to see if there is a 2.6.x version out now.
We do get up to 100 smtp connections from a simple ip during peak times.
If you allow a simple IP to make a 100 smtp connections to your
mail server
then you have other problems. Why you would allow any IP to make more
then 10-15
connections is beyond me. Also .. if you set a error limit (example
mine is 5)
when that limit is reached the smtp and tcp connection are dropped.
postfix does not have per ip connection limiting and this goes for sendmail (if you've got a ruleset for that please post) and for tcpserver (qmail-smtpd)
I am not saying that you should not block abusive IP's or network's at
the
Also what about ESTABLISHED connections ??? If you do not use a
ESTABLISHED
state -j ACCEPT at the top ... then each IP would then in theory have
to match 1
million rules every time it came in.
I am sure there is a better answer then to create 1 million iptable
rules.
Which is why Timothy is asking about ipset/ippool functionality.
