[conspire] iptables filtering responses from DNS servers

Tim Utschig tim at tetro.net
Thu Jun 22 12:59:43 PDT 2006


On Thu, Jun 22, 2006 at 09:23:32AM -0700, Daniel Gimpelevich wrote:
> 
> Before I fiddle with manual tweaks, I figured I'd take another stab at an
> auto-generated config. Is the following any different? It seems to block
> even more UDP traffic now.
> 
> Chain DOS (6 references)
> target     prot opt source               destination         
...
> RETURN     udp  --  anywhere             anywhere           limit: avg 1/sec burst 4 

Looks like it's only allowing 1 incoming UDP packet per second now.
What you really need is to make sure that answers to your own outgoing
queries never reach the 'limit' rules.  Making use of -m state would be
good.

If you're running a DNS server, you'd probably want a much higher limit
on incoming queries.

-- 
   - Tim Utschig <tim at tetro.net>




More information about the conspire mailing list