[wplug] 3/hour Limit

Kubbie squeakers2k at icqmail.com
Fri Dec 13 18:17:36 EST 2002


Thanks.

-----Original Message-----
From: wplug-admin at wplug.org [mailto:wplug-admin at wplug.org]On Behalf Of
Robert Dale
Sent: Thursday, December 12, 2002 10:53 AM
To: wplug at wplug.org
Subject: Re: [wplug] 3/hour Limit


On Thu, 12 Dec 2002, Kubbie wrote:

> Confusion about this limit for the firewall.  What exactly it is?  It will
> only right to syslog 3 times per hour, or it will only to syslog if the
same
> block happens 3 times in a hour?
>
> Read several documents on this and none really explain it very good...
they
> seem to be talking more about the syntax rather than what it is really
> doing.  I don't know if I should adjust this or not to have it monitor
more
> often.

I thought it was pretty well explained in the iptables HOWTO...

http://www.linuxguruz.org/iptables/howto/iptables-HOWTO-6.html

Here is the relevant section:
--------------------------------------------------------------------------
limit

    This module must be explicitly specified with `-m limit' or `--match
limit'. It is used to restrict the rate of matches, such as for suppressing
log messages. It will only match a given number of times per second (by
default 3 matches per hour, with a burst of 5). It takes two optional
arguments:

--limit

    followed by a number; specifies the maximum average number of matches to
allow per second. The number can specify units explicitly, using `/second',
`/minute', `/hour' or `/day', or parts of them (so `5/second' is the same as
`5/s').

--limit-burst

    followed by a number, indicating the maximum burst before the above
limit
kicks in.

This match can often be used with the LOG target to do rate-limited logging.
To understand how it works, let's look at the following rule, which logs
packets with the default limit parameters:

# iptables -A FORWARD -m limit -j LOG

The first time this rule is reached, the packet will be logged; in fact,
since
the default burst is 5, the first five packets will be logged. After this,
it
will be twenty minutes before a packet will be logged from this rule,
regardless of how many packets reach it. Also, every twenty minutes which
passes without matching a packet, one of the burst will be regained; if no
packets hit the rule for 100 minutes, the burst will be fully recharged;
back
where we started.

You cannot currently create a rule with a recharge time greater than about
59
hours, so if you set an average rate of one per day, then your burst rate
must
be less than 3.

----------------------------------------------------------------------------
--

--
Robert Dale


_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug





More information about the wplug mailing list