From: Mark Moseley <moseleymark@gmail.com>
To: Tib <tib@tigerknight.org>
Cc: netfilter@lists.netfilter.org
Subject: Re: use of the limiting options
Date: Tue, 25 Jan 2005 12:17:22 -0800 [thread overview]
Message-ID: <294d5daa0501251217b1935c4@mail.gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.53.0501251355270.24829@altaica>
It's used very often for logging, so that the logging doesn't swamp
the firewall's disk. Imagine you're dropping 100 packet/s and want to
log what's going on. You'd want to have the logging rule limited to
something like 1/s or whatever.
On Tue, 25 Jan 2005 13:56:25 -0600 (CST), Tib <tib@tigerknight.org> wrote:
>
> You're kidding o_O
>
> I guess it makes sense.. the connections will trip that rule until it is
> satisfied and then move onto the next. That's.. bizarre.
>
> <EOL>
> Tib
>
> On Tue, 25 Jan 2005, Mark Moseley wrote:
>
> > Heh, forgot to CC the list on my original reply, sorry.
> >
> > Makes sense on the --limit-burst. :)
> >
> > As far as adding the DROP/REJECT after that, once the connection limit
> > in the --limit rule has been reached, it will simply just fall through
> > the next rule (i.e. it doesn't do any implicit DROP'ing on its own).
> > So the rule with the --limit just matches up to the rate in --limit
> > and then doesn't match. Without a rule later on (or a policy to
> > DROP/REJECT), any overflow will just get accepted.
> >
> >
> >
> > > Yup - once I saw an example of someone USING the limit options it made
> > > sense :]
> > >
> > > The only thing --limit-burst does is say 'you have x many free tries
> > > before you fall under the rate limit of Y/time restrictions'.
> > >
> > > So on mine, you can effectively connect twice in short succession before
> > > you are cut back to once every 10 minutes (6 per hour).
> > >
> > > > Be sure to add a DROP or REJECT on the same match (unless the default
> > > > policy is already that).
> > >
> > > I don't follow why to do this - explain?
> > >
> > > <EOL>
> > > Tib
> > >
> >
>
next prev parent reply other threads:[~2005-01-25 20:17 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-25 18:54 use of the limiting options Tib
2005-01-25 19:08 ` Tib
2005-01-25 19:28 ` Tib
[not found] ` <294d5daa0501251137328fa4ff@mail.gmail.com>
[not found] ` <Pine.LNX.4.53.0501251340370.24829@altaica>
2005-01-25 19:51 ` Mark Moseley
2005-01-25 19:56 ` Tib
2005-01-25 20:17 ` Mark Moseley [this message]
2005-01-25 20:22 ` Tib
2005-01-26 7:58 ` Tib
2005-01-26 18:43 ` Mark Moseley
2005-01-28 21:32 ` Tib
[not found] ` <7096989.1107132520756.JavaMail.rct@kale>
2005-01-31 19:00 ` Bob Tellefson
2005-01-26 16:17 ` Jason Opperisano
2005-01-28 21:29 ` Tib
2005-01-31 3:44 ` Josh Nerius
2005-01-31 5:52 ` R. DuFresne
2005-03-02 10:33 ` forwarding internet connection elg3ne
2005-03-02 10:41 ` Essien Ita Essien
2005-03-02 12:34 ` Jörg Harmuth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=294d5daa0501251217b1935c4@mail.gmail.com \
--to=moseleymark@gmail.com \
--cc=netfilter@lists.netfilter.org \
--cc=tib@tigerknight.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.