iptables: overload on max-src-conn-rate?
So this is what I use in pf:
table <oloadtbl> persist pass in log on $if proto tcp from any to $ip1 port ssh keep state \ (max 30 max-src-conn 29 max-src-conn-rate 30/60 source-track overload <oload> flush global)
* * * * root /sbin/pfctl -t oloadtbl -T expire 600 > /dev/null 2>&1
I found some solution in teh interwebz, but to be honest, I don't quite understand them and I'm not going to copy/paste stuff I don't understand from sites I've never heard of.
For example from http://www.cyberciti.biz/tips/howto-...n-attacks.html
iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state
Why is the source port defined? Is that necessary?
Why do explicitly give the states? and why NEW and ESTABLISHED and not just one?
Is this *really* the easiest and most straightforward way to accomplish this?
... Maybe someone with more experience can explain this to me ...
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Last edited by Carpetsmoker; 13th May 2011 at 09:35 PM.
|Thread||Thread Starter||Forum||Replies||Last Post|
|Run multiple services on one port and use PF's overload to switch between them||Carpetsmoker||Guides||0||12th May 2010 10:44 PM|
|transfer rate||zomo||OpenBSD General||7||26th January 2009 03:00 AM|
|OpenBSD 4.4 and refresh rate 75||mfaridi||OpenBSD Installation and Upgrading||8||12th November 2008 12:05 PM|
|spoofing with iptables||dk_netsvil||General software and network||6||29th October 2008 08:22 PM|
|iptables fw redundancy||revzalot||Other BSD and UNIX/UNIX-like||3||17th June 2008 04:51 PM|