Hello! There's some mess in figures: # iptables -A INPUT -p tcp -s 111.222.111.222 --syn -m limit --limit 1/s --limit-burst 50 -j ACCEPT # iptables -A INPUT -p tcp -s 111.222.111.222 --syn -m limit --limit-burst 1000 -j LOG Do I understand right that according to the first rule through it can pass only 50 SYN packets per second. If I am right, then it can be checked like this: I launch 50 times all at once "telnet dst_host 80" and look at the counter: 50 2600 ACCEPT 0 0 LOG Launch 50 times telnet again: 66 3432 ACCEPT 34 1768 LOG Here goes that 50 packets came, but why only 16 came through the first rule? -- BRGDS. Alexey Vlasov. - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
