Re: [Fwbuilder-discussion] rate-limiting smtp traffic
Brought to you by:
mikehorn
From: <va...@vk...> - 2006-04-30 23:46:44
|
On Apr 30, 2006, at 3:30 PM, Steve Wray wrote: > Hi there, > > I found this interesting post on a mailing list: > > http://lists.roaringpenguin.com/pipermail/mimedefang/2003-May/ > 014352.html > > > Looks interesting. He says: > > > <snippet> > snippet from the firewall script: > --------------------------------- > > iptables=/usr/local/sbin/iptables > > # log packet and drop it > $iptables -A log_reject -m limit --limit 5/m -j LOG > $iptables -A log_reject -j REJECT > > # input > # Limit new smtp connections to 10 per host - this should take care > of stupid > # exchange servers trying to open hundreds of concurrent smtp > sessions when > sending mail > # to several domains at once. > $iptables -A INPUT -p tcp --syn --dport smtp -m iplimit --iplimit- > above 10 -j > log_reject > > I've been using this in production for ~6 months now - works like a > charm and > reliably keeps server load at a reasonable level without limiting > normal > operations. > <\snippet> > there are some differences between this and what you get if you use limiting option in fwbuilder rule options. Firewall Builder compiles it into parameters for the "limit" module rather than iplimit. Iplimit module is relatively recent addition to iptables while "limit" module has been there forever. Anyway. you should be able to achieve the same effect with "limit". I use similar approach to rate limit SSH connections to my server > I have had a go at implementing this in fwbuilder but it doesn't > appear to work. > > I used the 'rule matches if it hits this often or less' and set > that to 5/second with a burst parameter of 1 (for testing I figured > this would make it more sensitive). > how does the rule look like ? Is there any other rule above or below it that matches the same source, destination and protocol ? > > I'm not actually sure how to test it either. I set this running > against a mail server behind a firewall with my fwbuilder > implementation on it: > > while true; do nmap -sS -p25 mailtest ; done > this test should work. --vk |