[wplug] 3/hour Limit
Kubbie
squeakers2k at icqmail.com
Fri Dec 13 18:17:36 EST 2002
Thanks.
-----Original Message-----
From: wplug-admin at wplug.org [mailto:wplug-admin at wplug.org]On Behalf Of
Robert Dale
Sent: Thursday, December 12, 2002 10:53 AM
To: wplug at wplug.org
Subject: Re: [wplug] 3/hour Limit
On Thu, 12 Dec 2002, Kubbie wrote:
> Confusion about this limit for the firewall. What exactly it is? It will
> only right to syslog 3 times per hour, or it will only to syslog if the
same
> block happens 3 times in a hour?
>
> Read several documents on this and none really explain it very good...
they
> seem to be talking more about the syntax rather than what it is really
> doing. I don't know if I should adjust this or not to have it monitor
more
> often.
I thought it was pretty well explained in the iptables HOWTO...
http://www.linuxguruz.org/iptables/howto/iptables-HOWTO-6.html
Here is the relevant section:
--------------------------------------------------------------------------
limit
This module must be explicitly specified with `-m limit' or `--match
limit'. It is used to restrict the rate of matches, such as for suppressing
log messages. It will only match a given number of times per second (by
default 3 matches per hour, with a burst of 5). It takes two optional
arguments:
--limit
followed by a number; specifies the maximum average number of matches to
allow per second. The number can specify units explicitly, using `/second',
`/minute', `/hour' or `/day', or parts of them (so `5/second' is the same as
`5/s').
--limit-burst
followed by a number, indicating the maximum burst before the above
limit
kicks in.
This match can often be used with the LOG target to do rate-limited logging.
To understand how it works, let's look at the following rule, which logs
packets with the default limit parameters:
# iptables -A FORWARD -m limit -j LOG
The first time this rule is reached, the packet will be logged; in fact,
since
the default burst is 5, the first five packets will be logged. After this,
it
will be twenty minutes before a packet will be logged from this rule,
regardless of how many packets reach it. Also, every twenty minutes which
passes without matching a packet, one of the burst will be regained; if no
packets hit the rule for 100 minutes, the burst will be fully recharged;
back
where we started.
You cannot currently create a rule with a recharge time greater than about
59
hours, so if you set an average rate of one per day, then your burst rate
must
be less than 3.
----------------------------------------------------------------------------
--
--
Robert Dale
_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug
More information about the wplug
mailing list