Hello Grant,
Thanks for youy response.
> Just a quick guess, but it looks like you are matching all SSH
> packets, not just those of a connection trying to be established.
I was thinking I was:
1. Letting NEW packet just pass ('la' stands for log&accept) but
counting them. (those I take are initiating the client connection
to the server)
2. Limiting those NEW paquets at 5 every 60 seconds. ('ld' stands for
log&drop)
I intend to count/limit only connection initiations, leaving alone the
rest. I can't figure out where I catch more than I think I catch.
Best regards,
--
Olivier K
