Thank you. I hadn't known about hashlimits and flow. While it is still a bit different, this will work perfectly for what I need it to do. I suppose from here I'd be curious to know if the "recent" module has any benefits over "hashlimit" in iptables, and I suppose I'm still curious to know if it plans on being implemented in nftables or left out completely, if anyone knows. Thank you, On Fri, 28 Jul 2017 21:57:25 +0200 Martin Bednar <martin@xxxxxxxxxxx> wrote: > On Thursday, 27 July 2017 22:59:59 CEST Perry Thompson wrote: > > Hello all, > > > > It may be way to early to ask this question, but I thought I might > > as well see if anyone has any information on it. > > > > Will the "recent" module or an option with a similar function be > > introduced into nftables in the future? Are there any plans to > > create something like this? It has always been a very good tool for > > keeping bad IPs from touching my system. > > I think flow tables might fit the bill. > https://wiki.nftables.org/wiki-nftables/index.php/Flow_tables > > I use them for filtering out SSH connection attempts, by allowing 3 > SYN packets per minute. > > tcp dport ssh ct state new flow table ssh { iif . ip saddr . tcp > dport timeout 1h limit rate 3/minute} accept > > > Cheers > > Martin.
Attachment:
pgp6kIPUJ1tfo.pgp
Description: OpenPGP digital signature
