whish list:
1) It should be possible to define a -m limit match for the
accept rules in order to protect the DMZ servers against
a DoS attack, as well as the FW in case of reverse
attack from the DMZ)
2) It should be possible to specify wether we want to
LOG&DROP or simply DROP the packets. (DoS by log
protection)
3) It should be possible to define the LOG rate (instead
of the hardcoded limit of 3/minute, which may be too low
when lauching and testing the FW rules (especially
when looking for dropped packet from the DMZ)
4) It should be possible to configure a user defined
service and add it to the list of predefined services.
5) It should be possible to group several services (i.e
ssh, webmin, telnet) into one (i.e: managment service).
6) [1&5)]+ [the possibility to group several entities
together] would allow to define rate limited rules either
globally (from several hosts to the services of several
servers) or on a single connection perspecive (one host
to one service)
NOTE: except [6] the other points seems to me a
prerequisite for a descent FW.
kr,
-jm-
