Bug 29281

Summary:	Possible wrong description of --limit option in iptables chapter
Product:	[OLD] Docs-user	Reporter:	Sune Kloppenborg Jeppesen <jaervosz>
Component:	Gentoo Security Guide	Assignee:	Sven Vermeulen (RETIRED) <swift>
Status:	RESOLVED FIXED
Severity:	normal	CC:	docs-team
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	Fix

Description Sune Kloppenborg Jeppesen 2003-09-21 11:53:38 UTC

I think the description of --limit 1/s option for iptables is wrong. According to my reading 
of man iptables it should mean that only one SYN packet is accepted each second 
regardless of its source? 
 
Mentioned paragraph: 
 
This is where the rate limit becomes handy. It is possible to limit the number of SYN 
packets from a single source but using the <c>-m limit --limit 1/s</c>. This will limit the 
SYN packets to one per source and therefor restricting the SYN flood on our resources.

Comment 1 Sune Kloppenborg Jeppesen 2003-09-21 11:56:15 UTC

Created attachment 18089 [details, diff]
Fix

Possible fix.

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2003-09-22 04:51:24 UTC

You're right. The whole idea behind rate-limiting to fight off SYN-floods is to restrict the amount of SYN-packets in general, not sourcebased. Fix approved :)

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2003-09-22 05:06:06 UTC

committed. Thanks again!