Date: Thu, 13 Nov 2008 16:38:52 -0800 From: Julian Elischer <julian@elischer.org> To: "Son, Yeongsik" <ienfant@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: change specific linux iptables rule set to ipfw rule set Message-ID: <491CC89C.2040702@elischer.org> In-Reply-To: <8db0c7c40811131452v70d2c2fds672384a42da5c5@mail.gmail.com> References: <8db0c7c40811131452v70d2c2fds672384a42da5c5@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Son, Yeongsik wrote: > One of linux server contains rule set like these: > > iptables -A INPUT -p tcp --syn --dport 80 - m connlimit --conlimit-above 20 > -j DROP > iptables -A INPUT -m recent --name KIN -rcheck --seconds 300 -j DROP > iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 > -m recent --name KIN -set -j DROP > > simply means, > drop ip try to connect tcp port 80 over 20 connections. > when it happens, drop ip for 5 minutes. > > iptables -A INPUT -p udp --dport 53 -m length --length 512:65535 -j DROP > > briefly, > drop ip try to connect udp port 53 which packet length is 512 ~ 65535. > > I want using those rules on freebsd servers, but I don't know those kind of > sophisticated functions of ipfw. > > Is that possible freebsd? not in ipfw but I think pf can do that. Some people may have done that with ipfw using an external agent, but I don't know who/how. > > Let me share your knowledge. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?491CC89C.2040702>