On Mon, 2 Sep 2019, Dave Taht wrote:
with copy-pasted parameters set in the 90s - openwrt's default, last I
looked, was 25/sec.
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec
--limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
Well, it's got a burst-size of 50. I agree that this is quite
conservative.
However, at least in my home we're not seeing drops:
# iptables -nvL | grep -A 4 "Chain syn_flood"
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
2296 113K RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
/* !fw3 */
But you might be right that in places with a lot more clients then this
might indeed cause problems.
--
Mikael Abrahamsson email: swm...@swm.pp.se
_______________________________________________
Bloat mailing list
Bloat@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/bloat