On Mon, Mar 17, 2003 at 11:15:24AM +0800, NortonNg wrote: > ipfw limit option is easy be DoS. > for example: ipfw add tcp from any to 80 limit 1000
We're talking about src-addr, which enforces a limit per rule/source ip. It is only DOSable for the TCP protocol if you can spoof IP addresses and reliably predict TCP ISNs. There are a lot of arguments against this kind of limit, but per rule/source ip pairs are at least less DOSable than plain per rule limits. Or through a DDOS, but a firewall rule can hardly protect against this. -- __ /*- Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\ __ \ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a> \' / \/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a> \/
