On Fri, Nov 05, 2004 at 05:57:18PM +0000, Baruch Even wrote: >On Fri, 2004-11-05 at 17:13, George Georgalis wrote: >> On Fri, Nov 05, 2004 at 03:04:34PM +0000, Baruch Even wrote: >> >> >ESTABLISHED,RELATED >> >NEW >> >INVALID >> >pick two to cover the spectrum of attacks. >> >> Why not all three in this order... >> >> INVALID -j REJECT >> ESTABLISHED,RELATED -j ACCEPT >> NEW -j ACCEPT (if allowed) > >If you checked INVALID and ESTABLISHED, the rest has to be NEW. You can >check it if you want for completeness, you can avoid checking it to save >a few bits compared.
performance isn't really an issue for me. but I do accept only certain new connections from certain networks. and for anybody who is interested, I've found the limit function works well to manage logging and types of deny. -m limit --limit-burst 50 --limit 1/s At the end of my "NEW ACCEPT" set, I call a chain that, within the limit, logs and rejects remaining connections, beyond the limit it returns. the next two rules log some (with limit again) of the remaining connections and drops them all. The setup gives a balance between the problems of logging and rejecting everything bad and just dropping everything bad. // George -- George Georgalis, systems architect, administrator Linux BSD IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]