[conspire] iptables filtering responses from DNS servers
Tim Utschig
tim at tetro.net
Thu Jun 22 12:59:43 PDT 2006
On Thu, Jun 22, 2006 at 09:23:32AM -0700, Daniel Gimpelevich wrote:
>
> Before I fiddle with manual tweaks, I figured I'd take another stab at an
> auto-generated config. Is the following any different? It seems to block
> even more UDP traffic now.
>
> Chain DOS (6 references)
> target prot opt source destination
...
> RETURN udp -- anywhere anywhere limit: avg 1/sec burst 4
Looks like it's only allowing 1 incoming UDP packet per second now.
What you really need is to make sure that answers to your own outgoing
queries never reach the 'limit' rules. Making use of -m state would be
good.
If you're running a DNS server, you'd probably want a much higher limit
on incoming queries.
--
- Tim Utschig <tim at tetro.net>
More information about the conspire
mailing list