[Firehol-support] Re: Integrating ipt_recent with FireHOL
Carlos Rodrigues
cefrodrigues at mail.telepac.pt
Sat Nov 12 00:51:26 CET 2005
On 11/11/05, Costa Tsaousis <costa at tsaousis.gr> wrote:
> In v1.240 (get it from http://firehol.sf.net/firehol.tar.gz) you now can:
>
> server smtp accept with recent NAME SECONDS HITS
Sweet!
> Do you believe we should also add a "recent" protection, so that one can
> limit the rate of connections per interface and router for all the
> services together, or even a "recent" helper so that one can limit the
> rate of connections globally for the whole of the firewall?
I don't see protecting all services together as being useful in the
real world. For instance, if http and ssh are open, it would be
difficult to find proper values to fit both services. Too low hits and
seconds and it would kill http, too high and it wouldn't be useful for
ssh. I guess this applies for enough service combinations to make it
difficult to get right.
However, a global helper to be able to do the same thing I showed in
the other post would be nice. Something like:
"protect SERVICE recent NAME HITS SECONDS [optional rule parameters]"
"protect" looks like the right name for this, and could even be
extended in the future to support other kinds of protection like
TARPIT (http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-TARPIT)
or something like that. :)
--
Carlos Rodrigues
More information about the Firehol-support
mailing list