> Am 05.05.2021 um 16:20 schrieb Stuart Henderson <s...@spacehopper.org > <mailto:s...@spacehopper.org>>: > > This is usually best dealt with in your DNS server software e.g. by using > the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config > section in BIND.
Yes, I have this in place now, but I try to let the fw drop them: This seems not working: udp_inbound_dns_options = 'keep state (max-src-conn-rate 120/60, overload <bruteforce> flush global )' … pass in quick on $red_if proto udp from any to { $ns4, $ns5 } \ port { domain } tag RED_DMZ $udp_inbound_dns_options label "dns inbound" Is this not possible with udp? Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius
signature.asc
Description: Message signed with OpenPGP