From: Feizhou <feizhou@linuxmail.org>
To: Timothy Webster <timothyw@outblaze.com>
Cc: Michael Gale <michael.gale@utilitran.com>, netfilter@lists.netfilter.org
Subject: Re: over a 1,000,000,000 individual ips to block
Date: Tue, 29 Jun 2004 19:43:30 +0800 [thread overview]
Message-ID: <40E155E2.5010306@linuxmail.org> (raw)
In-Reply-To: <20040629110452.30056.qmail@team.outblaze.com>
>
> Limited maximum connections and a simple accept established
> help, but we need more. Currently looking into modify
> the set patch to handle this large number.
> If not iptables then openbsd pf.
that's why you are looking into ipset....i asked a similar question a
while ago...need to check to see if there is a 2.6.x version out now.
>
> We do get up to 100 smtp connections from a simple ip during peak times.
>
>
>> If you allow a simple IP to make a 100 smtp connections to your
>
> mail server
>
>
>>then you have other problems. Why you would allow any IP to make more
>
> then 10-15
>
>>connections is beyond me. Also .. if you set a error limit (example
>
> mine is 5)
>
>>when that limit is reached the smtp and tcp connection are dropped.
postfix does not have per ip connection limiting and this goes for
sendmail (if you've got a ruleset for that please post) and for
tcpserver (qmail-smtpd)
>
>
>
>>I am not saying that you should not block abusive IP's or network's at
>
> the
>
>
>>
>>Also what about ESTABLISHED connections ??? If you do not use a
>
> ESTABLISHED
>
>>state -j ACCEPT at the top ... then each IP would then in theory have
>
> to match 1
>
>>million rules every time it came in.
>>
>>I am sure there is a better answer then to create 1 million iptable
>
> rules.
>
Which is why Timothy is asking about ipset/ippool functionality.
next prev parent reply other threads:[~2004-06-29 11:43 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-29 11:04 over a 1,000,000,000 individual ips to block Timothy Webster
2004-06-29 11:43 ` Feizhou [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-06-24 14:57 Timothy Webster
2004-06-28 12:45 ` Michael Gale
2004-06-28 13:04 ` Alex Sirbu
2004-06-28 13:36 ` Feizhou
2004-06-28 13:52 ` Alex Sirbu
2004-06-28 14:14 ` Feizhou
2004-06-28 13:20 ` Feizhou
2004-06-28 16:31 ` Michael Gale
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40E155E2.5010306@linuxmail.org \
--to=feizhou@linuxmail.org \
--cc=michael.gale@utilitran.com \
--cc=netfilter@lists.netfilter.org \
--cc=timothyw@outblaze.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.