* limiting connection rate
@ 2004-04-22 20:17 Null Device
2004-04-22 20:55 ` Friedrich Lobenstock
2004-04-23 7:44 ` Henrik Nordstrom
0 siblings, 2 replies; 3+ messages in thread
From: Null Device @ 2004-04-22 20:17 UTC (permalink / raw)
To: netfilter-devel
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=us-ascii, Size: 1065 bytes --]
Helloo list,
I am new here.
I am working on a firewall, as an LKM on 2.4.22
kernel. (still stateless filtering) at the network
layer + i have the following features in it.
-> shellcode filtering ( very basic)
-> snort rules supports.( alil proggie to convert
those rules to my firewall rules)
-> HTTP request control method.
-> Anti -( XSS and SQL Injection) measures.
just the imp ones.....as ur sites says keep the mails
short.
i am using netfilter hooks only.
is there a way i can limit the no of connections per
second per ip using certail iptable or netfilter
modules.
i was unable to find any documentation on it.
As my firewall is stateless, if i want to implement,
firstly i will have to make it stateful filtering and
then add the code to get the job done...so i was
looking for something which can same my work.
any guidance in the regard will prove a great help.
thx in advanve to everyone.
ND
__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: limiting connection rate
2004-04-22 20:17 limiting connection rate Null Device
@ 2004-04-22 20:55 ` Friedrich Lobenstock
2004-04-23 7:44 ` Henrik Nordstrom
1 sibling, 0 replies; 3+ messages in thread
From: Friedrich Lobenstock @ 2004-04-22 20:55 UTC (permalink / raw)
To: Netfilter Development Mailinglist
Hello <realname missing>
Null Device wrote on 22.04.2004 22:17 MET:
>
> i am using netfilter hooks only.
> is there a way i can limit the no of connections per
> second per ip using certail iptable or netfilter
> modules.
> i was unable to find any documentation on it.
Are you talking about client ip (where the connection comes from) or server
ip (where the connection goes to)?
In general what about using
-m state --state NEW
in combination with eg.
-m limit --limit 3/s
--
MfG / Regards
Friedrich Lobenstock
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: limiting connection rate
2004-04-22 20:17 limiting connection rate Null Device
2004-04-22 20:55 ` Friedrich Lobenstock
@ 2004-04-23 7:44 ` Henrik Nordstrom
1 sibling, 0 replies; 3+ messages in thread
From: Henrik Nordstrom @ 2004-04-23 7:44 UTC (permalink / raw)
To: Null Device; +Cc: netfilter-devel
On Thu, 22 Apr 2004, Null Device wrote:
> i am using netfilter hooks only.
> is there a way i can limit the no of connections per
> second per ip using certail iptable or netfilter
> modules.
There is the connlimit match which limits the number of concurrent
connections a single IP may be involved in. See
patch-o-matic-ng/connlimit,
Obviously depends on conntrack, and so will your firewall if you want to
use a similar technique.
Note: conntrack is independent of iptables. There is no problem for your
firewall implementation to reuse conntrack. If you also want to reuse the
NAT code outside of iptables then a little work is needed to separate the
NAT engine from iptables, but not much.
Regards
Henrik
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-04-23 7:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-22 20:17 limiting connection rate Null Device
2004-04-22 20:55 ` Friedrich Lobenstock
2004-04-23 7:44 ` Henrik Nordstrom
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.