John McMonagle wrote: > Tom Eastep wrote: >> >>> advocap.org doesn't have that much to lookup. Only about a dozen entries >>> and suspect most are for mail.advocap.org www.advocap.org and for spf text. >>> >>> Any idea what good limits would be? >>> >> I'm using "Limit:none:5,60" and it has slowed the bogus queries reaching >> my DNS server down to a trickle. >> >> Legitimate DNS servers should cache any response and since I only have a >> few hosts, this seemed like a reasonable setting to me. YYMV. >> >> -Tom >> > Thanks > > Seems to help. > I'll try your settings. > > I tried a count of 20 and got an error on shorewall restart. > Less than that is OK. > > No reason to go that high just figure I should mention it.
No reason to mention it unless you include details - http://www.shorewall.net/support.htm#Guidelines. > > Is there a way to test what ips are being blocked? You have to look at (and interpret) /proc/net/ipt_recent. Basically, those with lots of entries are being blocked. I've been experimenting and think that I have a much better approach. Its only drawback is that it requires that you install the xtables addons; but that's easy. And you must be using Shorewall-perl Add this to /etc/shorewall/actions: DNSDDOS Create /etc/shorewall/action.DDNSDOS: # This file is intentionally left empty Create /etc/shorewall/DDNSDOS as: use Shorewall::Chains; add_rule $chainref, q(-m string --algo kmp --from 2 --hex-string "|010000010000000000000000020001|" -j DROP) The add_rule call should all be on one line. In /etc/shorewall/rules: DNSDDOS net z:<dns server ip> udp domain ACCEPT net z:<dns server ip> udp domain That detects NS queries against "." and simply drops them. 'z' is the zone where your DNS server lives. Specifying you dns server ip address is of course optional. Here it is in operation: Chain net2dmz (1 references) pkts bytes target prot opt in out source destination ... 554 25376 DNSDDOS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 18 1256 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
