[Cerowrt-devel] [Bloat] talking at linux plumbers in portugal next week
Mikael Abrahamsson
swmike at swm.pp.se
Tue Sep 3 08:23:56 EDT 2019
On Mon, 2 Sep 2019, Dave Taht wrote:
> with copy-pasted parameters set in the 90s - openwrt's default, last I
> looked, was 25/sec.
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
Well, it's got a burst-size of 50. I agree that this is quite
conservative.
However, at least in my home we're not seeing drops:
# iptables -nvL | grep -A 4 "Chain syn_flood"
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
2296 113K RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
But you might be right that in places with a lot more clients then this
might indeed cause problems.
--
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the Cerowrt-devel
mailing list