search for: subchain

...lls is the average number of rules a packet has to be matched against, and the two main tools to help with that are (if I may use iptables lingo here) a) --state ESTABLISHED to get everything but the connection-initiating packets out of the way ASAP and b) branching tree-like into dedicated-purpose subchains, rather than building linear lists. Assuming that the IPs to be blocked are randomly distributed, I'ld try something along the following lines: [main chain] --state ESTABLISHED,RELATED -j ACCEPT -p tcp --dport pop3 -j dove-blocks -p tcp --dport imap -j dove-blocks [subchain dove-blocks] -d 1...

I wonder if there is an easy way to provide dovecot a flat text file of ipv4 #'s which should be ignored or dropped? I have accumulated 45,000+ IPs which routinely try dictionary and 12345678 password attempts. The file is too big to create firewall drops, and I don't want to compile with wrappers *if* dovecot has an easy ability to do this. If dovecot could parse a flat text file of

I added these rules to IPTABLES to slow brute force attacks. iptables -A INPUT -p tcp --dport 22 -s my_subnet/24 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP I would like log entries when connections are dropped to see

...add dev $DEV parent 1:${CLASS_ID} handle ${CLASS_ID}: \ sfq perturb 10 tc filter add dev $DEV parent 1: protocol ip prio 17 u32 \ match ip dst "$IP" flowid 1:${CLASS_ID} iptables -A "$CHAIN_NAME" -t mangle -s "$IP" -j MARK --set-mark $CLASS_ID I use iptables subchains, so that every chains contains 32 entries. I have recently upgraded from RedHat 9.0 to Fedora Core 2. I cannot turn back to RH9, because I had other problems with that. I use kernel 2.6.8-1.521 (the problem was the same with original kernel). I didn''t recompile it. THE PROBLEM: When I...

https://bugzilla.netfilter.org/show_bug.cgi?id=1434 Bug ID: 1434 Summary: Usability improvements, enabling creation of complex firewalls Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft

On Fri, Dec 29, 2017 at 10:32 AM, Kenneth Porter <shiva at sewingwitch.com> wrote: > How do I insert the iptables rule below using firewalld? > > I'm moving up from CentOS 6 to 7 on an office gateway and I'm trying to > get OpenVPN working to allow home workers to access PCs at the office. I've > got it all working but only by manually inserting an ACCEPT rule in

At 03:47 PM 6/16/2020, Kenneth Porter wrote: >The rule is in the wrong chain. The INPUT chain affects packets that >terminate at the same machine. You want to block packets that will >be passed on to the Internet, so your rule needs to be in the >FORWARD chain. (The OUTPUT chain affects packets that originate at >your machine.) > >Here's a nice collection of diagrams

Hey guys, I am planning to buy some components for a Linux router that will handle the Internet access of 200 computers (includes tc shaping) and some inter sub-network routing (at least 100MBps per eth - and there are 3 eth cards). I was thinking of a: Pentium 4 - 3GHz 256 or 512MB RAM Network Cards. Now - I wonder what is more important: the processor speed or the amount of RAM. And can you