[Cerowrt-devel] [Bloat] talking at linux plumbers in portugal next week

Mikael Abrahamsson swmike at swm.pp.se
Tue Sep 3 08:23:56 EDT 2019

On Mon, 2 Sep 2019, Dave Taht wrote:

> with copy-pasted parameters set in the 90s - openwrt's default, last I
> looked, was 25/sec.

-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP

Well, it's got a burst-size of 50. I agree that this is quite 

However, at least in my home we're not seeing drops:

# iptables -nvL | grep -A 4 "Chain syn_flood"
Chain syn_flood (1 references)
  pkts bytes target     prot opt in     out     source               destination
  2296  113K RETURN     tcp  --  *      *              tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
     0     0 DROP       all  --  *      *              /* !fw3 */

But you might be right that in places with a lot more clients then this 
might indeed cause problems.

Mikael Abrahamsson    email: swmike at swm.pp.se

More information about the Cerowrt-devel mailing list