Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Next revision Both sides next revision | ||
|
linux:firewall [2011/01/10 12:13] greebo |
linux:firewall [2012/02/21 13:24] greebo |
||
|---|---|---|---|
| Line 163: | Line 163: | ||
| $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | $IPTB -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP | ||
| - | $IPTB -A INPUT -f -j LOG --log-prefix " | + | $IPTB -A INPUT -f -j LOG --log-prefix "Lost FRAGMENT> |
| $IPTB -A INPUT -f -j DROP | $IPTB -A INPUT -f -j DROP | ||
| Line 199: | Line 199: | ||
| # Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS) | # Log and drop ICMP fragments (shouldn not happen at all, but often used for DoS) | ||
| $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix " | $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j LOG --log-prefix " | ||
| - | $IPTB -A INPUT -i $INTERNET --fragment -p icmp -j DROP | + | $IPTB -A INPUT -i $INTERNET --fragment -p icmp -m hashlimit --hashlimit 10/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name icmp-frag |
| # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough | # thou shall NOT block ALL ICMP, but only allow usefull ICMP types to pass trough | ||
