* Henrik Nordstrom <hno@squid-cache.org>:
> On Monday 16 June 2003 10.58, Jay Turner wrote:
>
> > iptables -N syn-flood
> > iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
> > iptables -A syn-flood -m limit --limit 1/s --limit-burst 80 -j
> > RETURN iptables -A syn-flood -j LOG --log-prefix
> > "syn-flood-protection: " iptables -A syn-flood -j DROP
>
> Problem with this is that the same limit is applied to all
> connections. If one single IP address syn-floods the server then no
> new connections will be accepted from anywhere.
Exactly. But we only want to conveniently block the runaway client.
-- Ralf Hildebrandt (Im Auftrag des Referat V a) Ralf.Hildebrandt@charite.de Charite Campus Mitte Tel. +49 (0)30-450 570-155 Referat V a - Kommunikationsnetze - Fax. +49 (0)30-450 570-916 AIM: ralfpostfixReceived on Mon Jun 16 2003 - 05:16:05 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:23 MST