using match limit
S. Shore
sshore@escape.ca
Mon, 14 Jan 2002 16:22:47 -0600 (CST)
On Mon, 14 Jan 2002, Daniel F. Chief Security Engineer - wrote:
> Im kind of fuzzy on the whole --limit-burst "thing" versus --limit or more
> specifically in conjunction with. I did not find much documentation for
> it(match limit).
From the iptables manpage:
--limit rate
Maximum average matching rate: specified as a num-
ber, with an optional `/second', `/minute',
`/hour', or `/day' suffix; the default is 3/hour.
--limit-burst number
The maximum initial number of packets to match:
this number gets recharged by one every time the
limit specified above is not reached, up to this
number; the default is 5.
The rule with --limit-burst would allow bursts up to 50 packets/second,
but only a sustained rate of 30/second. The other rule would allow 50
packets/second all the time.
If the clients on the servers you run normally generate a little less than
30 packets/second, using the burst would allow short bursts above that for
e.g. delayed packets, without being limited.
It would definitely work to keep the bandwidth inline, providing you used
the right numbers. You might consider adding a rule that ratelimits
outgoing game traffic too.
It would not make the game playable during a DoS, as the good packets
would be thrown out with the bad (there's no way to tell them apart).
Scottie Shore <sshore@escape.ca>
"Experience is that marvelous thing that enables you to recognize
a mistake when you make it again." -- F. P. Jones