From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from resqmta-po-01v.sys.comcast.net (resqmta-po-01v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 4CAB03B29E for ; Tue, 6 Oct 2020 22:40:14 -0400 (EDT) Received: from resomta-po-13v.sys.comcast.net ([96.114.154.237]) by resqmta-po-01v.sys.comcast.net with ESMTP id PzMHkOrLrTdhvPzNFkxnAC; Wed, 07 Oct 2020 02:40:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastmailservice.net; s=20180828_2048; t=1602038413; bh=LhV4qae4bUuiU9Ipz3ohCxkOvrGebJjEs9s8plMkTpE=; h=Received:Received:Received:Date:From:To:Subject:Message-ID: MIME-Version:Content-Type; b=pJ0+IZHvUmwdQPHPZXxI2/8JjDlI0eDIs4zKMEmCxDnt/ssVH/7BYWjE1rym74xav vvpid9DiF6BCaSc0rgPQUmhalv0Jq6ll7XuCTeQ8+ElSpb5dVFF6A+4WOUyk6TXA6U NHYHQmbbhrF/bopv1XAtLfWPgPnAmPxnVTBi7sA94Fqn3z4sEmAU01f6ZxJXlArq1I Gr6gzue8siy2FFZYed3uFByBvB368OLsWZJTbr8s6iSgFmuNC5mHjG3ZwqQtnmNzRf k6v+1MlraEmJaok3oRYAPMAOY0w9W7npvzGoQyDvz5gM2PS4tSgNv3rfW0U+xYDwhE bdwrmHo1hkuRg== Received: from home.sewingwitch.com ([IPv6:2601:644:881:42b0::3f1]) by resomta-po-13v.sys.comcast.net with ESMTPA id PzN8kcs2Jz0BvPzNEkGrGo; Wed, 07 Oct 2020 02:40:12 +0000 X-Xfinity-VMeta: sc=0.00;st=legit Received: from [10.96.7.39] ([10.96.7.39]) (authenticated bits=0) by home.sewingwitch.com (8.14.7/8.14.7) with ESMTP id 0972dtab004443 for ; Tue, 6 Oct 2020 19:39:55 -0700 DKIM-Filter: OpenDKIM Filter v2.11.0 home.sewingwitch.com 0972dtab004443 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sewingwitch.com; s=default; t=1602038397; bh=LhV4qae4bUuiU9Ipz3ohCxkOvrGebJjEs9s8plMkTpE=; h=Date:From:To:Subject:In-Reply-To:References:From; b=gBgmWHZOTV8+9KxPTJv3mmVnpltFgofl51axBH6Tz1JBPRsLqGgHeAMDUl4X3SC9l OYG0sWw1ezBGqKk8v3ZxrjGMAw6l7eag1JyTGbUMmZ1JsicCYMlUt4n3Zts/2sHY/w 8M8FADlTVcxZohhjg+qrxsJdPFy6iKg/UdRO0jg4= Date: Tue, 06 Oct 2020 19:39:54 -0700 From: Kenneth Porter To: bloat Message-ID: <38F0B196CFEA470FEEBE0520@[172.27.17.193]> In-Reply-To: <2F8AA6E5-93F7-4FB2-A57F-10F7642F3092@gmail.com> References: <2F8AA6E5-93F7-4FB2-A57F-10F7642F3092@gmail.com> X-Mailer: Mulberry/4.1.0a3 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline; size=1414 X-Scanned-By: MIMEDefang 2.84 on 10.96.0.132 Subject: Re: [Bloat] netperf server news X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2020 02:40:14 -0000 --On Tuesday, October 06, 2020 7:52 AM -0400 Rich Brown wrote: > 3) I would be pleased to get comments on the set of scripts. I'm a newbie > at iptables, so it wouldn't hurt to have someone else check the rules I > devised. See the README at https://github.com/richb-hanover/netperfclean A couple of alternatives to custom scripts are fail2ban and the rate-limiting modules available for iptables such as hashlimit and recent. I haven't used fail2ban for rate-limiting so I'm not sure if it's the right tool for that but it monitors log files to add iptables rules for short-term banning. It's not hard to add your own log monitoring rule. I haven't used the iptables modules but they look like a natural solution for this. Instead of using a unique iptables rule for each blocklist member, I suggest using an ipset. (I use firewalld as a front-end to iptables so I let it manage my ipsets, but you can also install ipset's service for use with raw iptables to save and restore the sets across boots.) Your block rule could be as simple as this: iptables -I INPUT 1 -p tcp --dport netperf -m set --match-set NetPerfAbusers src -m conntrack --ctstate NEW -j DROP