Dear Michael, > > I applied these rules: > > -A INPUT --protocol udp --dport ntp --match hashlimit --hashlimit 100/hour > > --hashlimit-mode srcip --hashlimit-name ntp_ratelimit --jump ACCEPT > > This will most likely not do what you want, as you're not setting > --hashlimit-htable-expire, and IIRC it defaults to 10 seconds or > something equally ridiculous. That means IPs that do not send any
Uhm... I don't find the correct default value documented. However at this moment firewall logs and tcpdump show that the filtered hosts send queries zealously in every few seconds. Maybe I could discard more clients... At least I did not drop reasonable traffic. :-) > I do not see a --hashlimit-srcmask either, but that would probably make > sense. I do not agree. I don't want to punish hosts near to stupid ones. > Last but not least I think a limit of 100/hour does not make much sense. Any better estimation? :-) Cheers Gabor _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
