On Wednesday 2010-10-06 14:21, Christoph Anton Mitterer wrote: > Hi. > > Using the same setup as described here > (http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.general/40849) > I have one problem: > > At least ping (if not limiting with -c), and possibly other service, just goes > crazy and massively sends ECHO request when the packets are rejected (because > no IPsec handling would be done). > This really eats up my CPU ;) > > > Is there some smart way to just limit the rate on those rejects? e.g. something > like a "wait with sending the reject for a second" target? -m hashlimit --hashlimit 1/second > And would that even make sense? Yes, applications for hashlimiting have been found http://jengelh.medozas.de/documents/Chaostables.pdf -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
