iptables

Corey Edwards tensai at zmonkey.org
Thu Oct 21 14:42:41 MDT 2010


On 10/21/2010 08:58 AM, Wade Preston Shearer wrote:
> (sorry for the top post with no trim, I'm on a web client)
> 
> Would you recommend not rate-limitingn ping? It's there because it
> was recommended to me if I remember correctly, not because I felt
> like it should be.

The risk you run is if somebody does flood you with ICMP packets, you
might overflow your state table. Defeats the point somewhat. But unless
you've got lots of bandwidth, the DDoS is likely to kill you anyway so
it might be a moot point. As Stuart said, that's a question you have to
answer yourself.

I have seen on one occasion where an ICMP rate limiting rule caused all
sorts of havoc to my monitoring systems because the replies were getting
delayed and/or dropped. Bad stuff.

Corey


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
Url : http://plug.org/pipermail/plug/attachments/20101021/b2799c15/attachment.bin 


More information about the PLUG mailing list