So this rule:
iptables -t NAT -A PREROUTING -p tcp -i eth0 --dport 80 -m hashlimit
--hashlimit 100/second \
--hashlimit-burst 100 --hashlimit-mode dstport --hashlimit-name
"rate limit 80"\
-J REDIRECT --to-port $AbuseServerTriggerAndNotifyPage
Should do the trick..
But as Amos wrote somewhere if I my memory is right about it..
The application level have some benefits..
While external_acl_type is very tempting a eCAP would be the better
choice for performence reasons.
ICAP has the upper hand while allowing concurrency by defalut.
So external_acl_type is nice and helps a lot but it would add some over
blocking... if I remeber right.
I have tried to read the eCAP docs in the past to make something like
the mentioned option avaliable but There is a place for more eCAP
examples for specific tasks to make more people use it.
Who is the expert on eCAP?
Thanks!
Eliezer
On 10/10/2013 12:38 AM, Alex Rousskov wrote:
>> How hard would it be to add a Forward proxy the option to send an error
>> >page to a runtime syn\accpet\other limit?
> If client usage information is available somewhere, then one can use an
> external_acl_type or eCAP/ICAP to block or redirect that client. No new
> options are needed.
>
>
> Cheers,
>
> Alex.
>
>
Received on Wed Oct 09 2013 - 21:58:09 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 10 2013 - 12:00:05 MDT