On 2019-01-10, Aaron Mason <simplersolut...@gmail.com> wrote: > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson <s...@spacehopper.org> wrote: >> >> On 2019-01-09, Aaron Mason <simplersolut...@gmail.com> wrote: >> > Hi Jordan >> > >> > I've set it up to try it, but I'm not having much luck. Even when I >> > trigger more than one, it still doesn't populate the bad_hosts table, >> > even again when I extend the rate period to 86400 seconds. I've added >> > logging so I know the rule is triggering. See below. >> >> max-src-conn-rate is only triggered when a TCP connection is >> established, you need to have something listening (and it will only >> trigger on the *second* connection). >> > I knew it wouldn't trigger on the first attempt, but I had a sneaking > suspicion that you'd need something to listen on that port. Is there > a way to achieve what we seek, in that case, without userland tools?
No. But you could probably manage it with just one listening port to cover all the ones you're interested in (via rdr-to).
