Thanks Tom, all clear now! I just tweaked the numbers a bit and put the firewall in production and it seems to run great with the new settings!
Thanks for all your time and patience... Sander -----Original Message----- From: Tom Eastep [mailto:teas...@shorewall.net] Sent: vrijdag 16 april 2010 15:17 To: Shorewall Users Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to prevent DoS attackson a specific port S. J. van Harmelen wrote: > Uuh... I understand that you're a man of little words ;) But since your > saying yes to two opposite explanations I still don't know what explanation > is the correct one? > > 1. It says "without a connection arriving", but I assume that even if a > connection arrives during the interval (which then gets passed along to the > other rules and is not matched to the rule in question because the burst > count is 0), then after the interval period the burst count is incremented? > > 2. Or does the burst count only gets incremented when no new connections are > even attempted for at least the duration of the interval period? So that > means the interval will reset and starts ticking again every time a > connection arrives (even if that connection is not allowed to pass through > the rule) until it ticks away to complete interval time? > If a packet arrives, the count immediately goes back to zero and the packet is accepted. The point is that the only way for the burst count to increment over time is that the arrival rate must be less than the specified rate; there must be periods during which no packet arrives in order for the burst count to be restored to its maximum value. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
