Hi.
Using the same setup as described here
(http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.general/40849) I have one
problem:
At least ping (if not limiting with -c), and possibly other service,
just goes crazy and massively sends ECHO request when the packets are
rejected (because no IPsec handling would be done).
This really eats up my CPU ;)
Is there some smart way to just limit the rate on those rejects? e.g.
something like a "wait with sending the reject for a second" target?
And would that even make sense?
I've tried it using the limit match and following rules (see the other
rules in the link above):
-A ipsec-only-in ! --protocol esp -m limit --limit 10/second
-j REJEC
T --reject-with icmp-admin-prohibited
-A ipsec-only-in ! --protocol esp
-j DROP
-A ipsec-only-out ! --protocol esp -m limit --limit 10/second
-j REJECT --reject-with icmp-admin-prohibited
-A ipsec-only-out ! --protocol esp
-j DROP
The intention was that if the limit is reached, no REJECTS are no
longer produced but the packages are dropped (and the client then
hopefully waits some time before sending again).
But this is obviously rather ugly and doesn't work very well.
Are there any other possibilities?
Thanks,
Chris.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
