|
|
Its a shame the the "statefull" firewall cant be used to throttle
connections for all on a per-host bases rather an all or one setup. To
illustrate the problem, I've sence created a program that monitors my
maillog and adds a DROP rule for ip address that are spamming us...after
only 12 hours, my INPUT chain now has over 3200 ( yes, three thousand two
hundred, its not a typo ) rules blocking spam sources. If I arbitrairly
throttle connections to port 25, lagit e-mail would never get through
because of the volumn of spam. .oO( it was nice this morning however to not
have an inbox full of spam )
So before the program, I had 3200+ spam sources dictionary attacking my
server. The system's bandwidth quota was reaching it's limits. I
configured sendmail to not bounce the messages so there was some bandwidth
available for the web sites. Its also impressive how many of those ip
addresses reverse mapped to broadband clients ( about 1000 )...one would
think after the years that people would be running anti-virus and firewalls
on their home systems to prevent such.
If there are any linux firewall developers out there that see this...here is
one for the wish list. A single rule that can throttle connection to a port
from a source where if one source triggers the rule, it does not effect
another source. So if server X exceeds the throttle limit, server Y is not
effected and can still connect where server X now is being throttled. I
**thought** that was one of the purposes of statefulness in a firewall.
Any advise would be appreciated...thanks
Matt
p.s. 83 more ipaddress were added to my drop list in the time it took to
write this message.
"Matt" <masterr_r@xxxxxxxxx> wrote in message
news:cZ6dnVhyVtfpleTfRVn-1Q@xxxxxxxxxxxxxxxxxx
> I'm looking for a way to limit the incomming connection rate of port 25
> ( smtp ) in order to deliberatly backlog spammers. The problem is I can't
> seem to find any information regarding how the -m limit applies to new
> connection. All I seem to be ablt to find is information regarding the
> limit applies to packets that match a given rule.
>
> Here is what I would like to be able to do. Limit the connection rate of
> any given source to 1/minute. This would definatly backlog incomming spam
> but from what I understand, if I'm getting hammered by a spammer, lagit
> e-mail from other would also be locked out. So I basically need a rule
> that will limit the connection rate from a given source. The source is
> unknow as we all know spammers jump relays as often as you can blacklist
> them. The ability to throttle their ability to spam our system would free
> up tons of bandwidth and maybe discourage some from sending it to us.
>
> How would I get something like this to work?
>
|
|