[prev in list] [next in list] [prev in thread] [next in thread] 

List:       info-cyrus
Subject:    Re: Connection throttling POP3.
From:       Matthew Schumacher <matt.s () aptalaska ! net>
Date:       2007-05-23 16:49:09
Message-ID: 46547085.3020603 () aptalaska ! net
[Download RAW message or body]

David S. Madole wrote:
> 
> If you are talking about the suggestion I made, which looked like this:
> 
> iptables -A INPUT -p tcp --dport 22 \
> -m state --state NEW \
> -m recent --update --seconds 60 -j DROP
> 
> iptables -A INPUT -p tcp --dport 22 \
> -m state --state NEW \
> -m recent --set -j ACCEPT
> 
> then you did not read it right. It limits to one connection per IP address per \
> minute. Each source address is kept track of in enforcing the limit. Using the \
> --hitcount option in addition to the --seconds option, you can also create limits \
> such as a maximum of four connections in two minutes, etc. 
> David

Wow, I never played with recent before but it's quite handy.  Thanks for
pointing this out.  I'm already added a number of rules to protect
various things.

schu
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html


[prev in list] [next in list] [prev in thread] [next in thread]