search for: subchains

...lls is the average number of rules a packet has to be matched against, and the two main tools to help with that are (if I may use iptables lingo here) a) --state ESTABLISHED to get everything but the connection-initiating packets out of the way ASAP and b) branching tree-like into dedicated-purpose subchains, rather than building linear lists. Assuming that the IPs to be blocked are randomly distributed, I'ld try something along the following lines: [main chain] --state ESTABLISHED,RELATED -j ACCEPT -p tcp --dport pop3 -j dove-blocks -p tcp --dport imap -j dove-blocks [subchain dove-blocks] -d 1....

I wonder if there is an easy way to provide dovecot a flat text file of ipv4 #'s which should be ignored or dropped? I have accumulated 45,000+ IPs which routinely try dictionary and 12345678 password attempts. The file is too big to create firewall drops, and I don't want to compile with wrappers *if* dovecot has an easy ability to do this. If dovecot could parse a flat text file of

I added these rules to IPTABLES to slow brute force attacks. iptables -A INPUT -p tcp --dport 22 -s my_subnet/24 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP I would like log entries when connections are dropped to see

...add dev $DEV parent 1:${CLASS_ID} handle ${CLASS_ID}: \ sfq perturb 10 tc filter add dev $DEV parent 1: protocol ip prio 17 u32 \ match ip dst "$IP" flowid 1:${CLASS_ID} iptables -A "$CHAIN_NAME" -t mangle -s "$IP" -j MARK --set-mark $CLASS_ID I use iptables subchains, so that every chains contains 32 entries. I have recently upgraded from RedHat 9.0 to Fedora Core 2. I cannot turn back to RH9, because I had other problems with that. I use kernel 2.6.8-1.521 (the problem was the same with original kernel). I didn''t recompile it. THE PROBLEM: When I...

https://bugzilla.netfilter.org/show_bug.cgi?id=1434 Bug ID: 1434 Summary: Usability improvements, enabling creation of complex firewalls Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft

On Fri, Dec 29, 2017 at 10:32 AM, Kenneth Porter <shiva at sewingwitch.com> wrote: > How do I insert the iptables rule below using firewalld? > > I'm moving up from CentOS 6 to 7 on an office gateway and I'm trying to > get OpenVPN working to allow home workers to access PCs at the office. I've > got it all working but only by manually inserting an ACCEPT rule in

At 03:47 PM 6/16/2020, Kenneth Porter wrote: >The rule is in the wrong chain. The INPUT chain affects packets that >terminate at the same machine. You want to block packets that will >be passed on to the Internet, so your rule needs to be in the >FORWARD chain. (The OUTPUT chain affects packets that originate at >your machine.) > >Here's a nice collection of diagrams

...packets that are subjected to a drop verdict. Instead, drops take immediate effect, with no further rules or chains being evaluated. which is a design flaw. Formerly, with iptables, there was one INPUT, OUTPUT, FORWARD chain, and different tasks for different applications were implemented with subchains, that were jumped into one after the other. All three final decisions accept, reject, and drop were final and terminated processing, i.e. were reliable. But since nftables invented the hooks where chains are registered in order to keeps different things apart, the logic is broken. Let me expla...

Hey guys, I am planning to buy some components for a Linux router that will handle the Internet access of 200 computers (includes tc shaping) and some inter sub-network routing (at least 100MBps per eth - and there are 3 eth cards). I was thinking of a: Pentium 4 - 3GHz 256 or 512MB RAM Network Cards. Now - I wonder what is more important: the processor speed or the amount of RAM. And can you