Then you would likely be better off putting in a rules to drop traffic in the forward, input and output chains for those port/protocol combos that should not be passing the perimiter. The reason for the input rules is there are tons of sites that filter egress poorly and tons of totally unfiltered machines on the net, so there's no reason to have the firewall even look at such traffic besides just dropping it outright as it's forward rules <inside going out, and outside coming in>. For the most part, traffic I'm not allowing to pass I tend to not log as well, why clutter the logs with what is effective, the interesting stuff is in what is allowed to pass afterall. All the rate-limiting things folks are putting into some of the posted firewall scripts on the netfilter and realted sites are interesting to look at, but add to the complexity, and in many cases processing latencies of traffic traversal of the firewall. Afterall, it's job is to limit. Too often we tend to gorfet the fundmentals, like KISS... It's often much more effective and processing sweet to just be broad and bold with traffic at the perimiter then try to get fancy and 'play' with offenders on either side of the perimiter. AS I mentioned in the previous, if these nasties need to be passed, then a VPN, preferably through an intelligent proxy, rather then a mere plug is the way to go <most proxies tend to be mere plugs we;ve found>. The only place I'd look at rate limiting in this contaxt might be a '*routing* firewall' in front of a honey pot setup for trickery, fun and analysis. Of course YMMV... Thanks, Ron DuFresne On Sat, 5 Feb 2005, Mike Ireton wrote: > > I'm not, and that's the point. I aim to put a condom on the customer > side of the link so that they _can't_ engage in this behavior, no matter > what virus or stealth zombie ddos tool they have been infected with. > This gets me out of having to play traffic cop and is one more way I > ensure that the service can't be (easilly) abused. > > R. DuFresne wrote: > > >Why are you letting this traffic traverse your perimiters in the first > >place? If there is a need to pass windows related problematic protocols > >across perimiters, they should be tunnels in a secure connection. > > > > > > > > > > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com ...Love is the ultimate outlaw. It just won't adhere to rules. The most any of us can do is sign on as it's accomplice. Instead of vowing to honor and obey, maybe we should swear to aid and abet. That would mean that security is out of the question. The words "make" and "stay" become inappropriate. My love for you has no strings attached. I love you for free... -Tom Robins <Still Life With Woodpecker>