On 2022/07/06 05:36, Nuno Gonçalves wrote:
https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
I believe in this example ct will accept echo-request regardless of
the rate limit.
To fix it, the line
icmp type echo-request limit rate 5/second accept
Must be followed by
icmp type echo-request drop
Also the same for icmpv6.
And ct must be moved to the end of the chain.
I suggest this is changed in the wiki.
Thanks,
Nuno
Hi Nuno,
The icmp and icmpv6 rules you refer to are in regular chains, both
called by base chain "inbound" that has policy drop and no other icmp /
icmp6 rules. Therefore there is no need for the additional "drop" rules
that you suggest; packets arriving faster than the limit rates will be
dropped by the calling base chain's default policy.
Best regards,
Frank
