Re: Using -m limit to stop outbound portscanning viruses

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ramoni <ramoni@databras.com.br>
To: netfilter@lists.netfilter.org
Subject: Re: Using -m limit to stop outbound portscanning viruses
Date: Sat, 5 Feb 2005 20:50:45 -0200	[thread overview]
Message-ID: <200502052050.45656.ramoni@databras.com.br> (raw)
In-Reply-To: <42054ABB.5040700@tiedyenetworks.com>

Here, I'm using -m recent to avoid DoS attacks.
From the same source IP, I only permit 3 new connections each 5 seconds to my 
mail ports. (control ir for each, not both)



On Saturday 05 February 2005 20:37, Mike Ireton wrote:
> Howdy list,
>
> I'm concerned about portscanning viruses which have infected customer
> machines and are using all of that subscribers outbound to scan for
> (say) open port 445's all over the net. This isn't good for the wireless
> and tends to use up substantial resources in disproportion to the amount
> of data actually being moved. I have control over all my subscriber's
> CPE gear (running a custom embedded linux distro) and I am considering
> including an outbound firewalling feature to slow the rate at which new
> connections can be established. Basiclly, I want to ratelimit outbound
> syn's to some sane number (5/sec to start). I already have qos and
> bandwidth control in place at the cpe side, but this job is more
> 'packets per second' oriented than 'bytes per second'.
>
> I've looked at various cookbook examples of using '-m limit 5/s' and did
> rules like '-p tcp --tcp-flags SYN -m limit --limit 5/s -j DROP', but I
> effectively cut myself off and couldn't make any connections at all.
> Does anyone have a code snippet that could share which would do this job
> for me?
>
> Thanks.

     prev parent reply	other threads:[~2005-02-05 22:50 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-02-05 22:37 Using -m limit to stop outbound portscanning viruses Mike Ireton
2005-02-05 22:49 ` R. DuFresne
2005-02-05 23:06   ` Mike Ireton
2005-02-05 23:51     ` R. DuFresne
2005-02-05 22:50 ` Ramoni [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200502052050.45656.ramoni@databras.com.br \
    --to=ramoni@databras.com.br \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.