Martin Wheldon пишет:
Hi Folks,
I've spent quite sometime googling but am unable to answer the
following question.
Are there any problems with running a IPtables firewall using ipset
functionality on the hardware node?
Did you look at nfqueue ?
Afaik ipset is not really stable, also it require patching a
kernel...This is a big reason to not use ipset module.
Also does anyone know about some analogs of connlimit module ? Which
also absent in the default RHEL kernel...
centos5.2 box # iptables -A INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 15 -j REJECT
iptables: Unknown error 4294967295
The idea is to limit established connections for every unique ip. This
very helpful on the high-loaded web servers.
I already know that these modules haven't been virtualized, but I
don't delieve this should matter for the
hardware node, please correct me if this assumption is incorrect.
Obviously I will need to build my own
kernel as the ipset patches are not applied to the stock OpenVZ kernels.
Is anyone out there doing this? if so could you please pass on your
experiences.
Best Regards
Martin
_______________________________________________
Users mailing list
[email protected]
https://openvz.org/mailman/listinfo/users
