On Wed, 23 Mar 2005, Jason Opperisano wrote: > On Wed, 2005-03-23 at 03:21, ASHISH wrote: > > The rule that you have mentioned will "Accept" the first five matches. > > to split hairs here--the way the OP has the rule written: > > iptables -A INPUT -i eth0 -m limit --limit 5/m --limit-burst 5 -j ACCEPT > > it will actually accept the first 10 packets, the limit of 5 + the burst > of 5--then the limit will enforce for 5 minutes. huh? i'm pretty sure that's not true, as i remember figuring this out once upon a time. i'll go back to my notes but, as i *remember* it, it's easiest to think in terms of tokens. "limit-burst" means you get that many tokens with which to "pay" to accept incoming packets. if you start with a limit burst of, say, 20, then you can accept the first 20 packets, regardless of how fast they arrive -- they just cost you all of your tokens almost immediately. the "limit" of 5/m means that you are replenished with another token at that rate -- effectively every 12 seconds -- but only up to your limit-burst maximum of 20. what this means is that, if you're getting just hammered, when you start, you'll accept the first 20 packets and, after that, another one every 12 seconds. if things quiet down, then you're allowed to build up your reserve of tokens again, but only up to your burst-limit. i actually set up a set of rules once and *watched* this happen. does that make sense? rday
