[wplug] 3/hour Limit

Robert Dale rdale at wplug.org
Thu Dec 12 10:52:52 EST 2002 

On Thu, 12 Dec 2002, Kubbie wrote:

> Confusion about this limit for the firewall.  What exactly it is?  It will
> only right to syslog 3 times per hour, or it will only to syslog if the same
> block happens 3 times in a hour?
> 
> Read several documents on this and none really explain it very good... they
> seem to be talking more about the syntax rather than what it is really
> doing.  I don't know if I should adjust this or not to have it monitor more
> often.

I thought it was pretty well explained in the iptables HOWTO...

http://www.linuxguruz.org/iptables/howto/iptables-HOWTO-6.html

Here is the relevant section:
--------------------------------------------------------------------------
limit

    This module must be explicitly specified with `-m limit' or `--match
limit'. It is used to restrict the rate of matches, such as for suppressing
log messages. It will only match a given number of times per second (by
default 3 matches per hour, with a burst of 5). It takes two optional arguments:

--limit

    followed by a number; specifies the maximum average number of matches to
allow per second. The number can specify units explicitly, using `/second',
`/minute', `/hour' or `/day', or parts of them (so `5/second' is the same as
`5/s').

--limit-burst

    followed by a number, indicating the maximum burst before the above limit
kicks in. 

This match can often be used with the LOG target to do rate-limited logging.
To understand how it works, let's look at the following rule, which logs
packets with the default limit parameters:

# iptables -A FORWARD -m limit -j LOG

The first time this rule is reached, the packet will be logged; in fact, since
the default burst is 5, the first five packets will be logged. After this, it
will be twenty minutes before a packet will be logged from this rule,
regardless of how many packets reach it. Also, every twenty minutes which
passes without matching a packet, one of the burst will be regained; if no
packets hit the rule for 100 minutes, the burst will be fully recharged; back
where we started.

You cannot currently create a rule with a recharge time greater than about 59
hours, so if you set an average rate of one per day, then your burst rate must
be less than 3. 

------------------------------------------------------------------------------

-- 
Robert Dale

More information about the wplug mailing list