|
Other BSD and UNIX/UNIX-like Any other flavour of BSD or UNIX that does not have a section of its own. |
|
Thread Tools | Display Modes |
|
||||
iptables: overload on max-src-conn-rate?
So this is what I use in pf:
Code:
table <oloadtbl> persist pass in log on $if proto tcp from any to $ip1 port ssh keep state \ (max 30 max-src-conn 29 max-src-conn-rate 30/60 source-track overload <oload> flush global) Code:
* * * * root /sbin/pfctl -t oloadtbl -T expire 600 > /dev/null 2>&1 I found some solution in teh interwebz, but to be honest, I don't quite understand them and I'm not going to copy/paste stuff I don't understand from sites I've never heard of. For example from http://www.cyberciti.biz/tips/howto-...n-attacks.html Code:
iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state Why is the source port defined? Is that necessary? Why do explicitly give the states? and why NEW and ESTABLISHED and not just one? Is this *really* the easiest and most straightforward way to accomplish this? ... Maybe someone with more experience can explain this to me ...
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. Last edited by Carpetsmoker; 13th May 2011 at 09:35 PM. |
|
||||
Right, thanks ... --protocol does supports "all" by the way ... 0/0 wasn't mentioned in the manpage anywhere though :-/
I spent pretty much all day configuring our new CentOS VPS at work ... We needed to get that up and running today and the only guy who knows CentOS/Linux had a day off today :-/ There were quite a few surprises along the way, and my head is itchy from being scratched so much ...
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Run multiple services on one port and use PF's overload to switch between them | Carpetsmoker | Guides | 0 | 12th May 2010 10:44 PM |
transfer rate | zomo | OpenBSD General | 7 | 26th January 2009 03:00 AM |
OpenBSD 4.4 and refresh rate 75 | mfaridi | OpenBSD Installation and Upgrading | 8 | 12th November 2008 12:05 PM |
spoofing with iptables | dk_netsvil | General software and network | 6 | 29th October 2008 08:22 PM |
iptables fw redundancy | revzalot | Other BSD and UNIX/UNIX-like | 3 | 17th June 2008 04:51 PM |