Here, I'm using -m recent to avoid DoS attacks. >From the same source IP, I only permit 3 new connections each 5 seconds to my mail ports. (control ir for each, not both) On Saturday 05 February 2005 20:37, Mike Ireton wrote: > Howdy list, > > I'm concerned about portscanning viruses which have infected customer > machines and are using all of that subscribers outbound to scan for > (say) open port 445's all over the net. This isn't good for the wireless > and tends to use up substantial resources in disproportion to the amount > of data actually being moved. I have control over all my subscriber's > CPE gear (running a custom embedded linux distro) and I am considering > including an outbound firewalling feature to slow the rate at which new > connections can be established. Basiclly, I want to ratelimit outbound > syn's to some sane number (5/sec to start). I already have qos and > bandwidth control in place at the cpe side, but this job is more > 'packets per second' oriented than 'bytes per second'. > > I've looked at various cookbook examples of using '-m limit 5/s' and did > rules like '-p tcp --tcp-flags SYN -m limit --limit 5/s -j DROP', but I > effectively cut myself off and couldn't make any connections at all. > Does anyone have a code snippet that could share which would do this job > for me? > > Thanks.
