Quico/update-firewall-source
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

docs(xml): Make hitcount example ip(6)tables rules more less cluttered

Browse Source
This commit is contained in:
hygienic-books 2022-07-16 02:23:54 +02:00
parent 62f44939d8
commit c63351da59
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -286,10 +286,10 @@ A custom `[section]` has the following options. We're calling them locals most o
```
UFS generates rules:
```
target prot opt in out source destination
DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 143,993,110,995,25,465,587 recent: UPDATE seconds: 60 hit_count: 120 name: anyone-may-access-mail-services side: source mask: 255.255.255.255
tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 143,993,110,995,25,465,587 recent: SET name: anyone-may-access-mail-services side: source mask: 255.255.255.255
ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 143,993,110,995,25,465,587 /* anyone-may-access-mail-services */
target
DROP ... multiport dports 143,993,110,995,25,465,587 recent: UPDATE seconds: 60 hit_count: 120 ...
... multiport dports 143,993,110,995,25,465,587 recent: SET ...
ACCEPT ... state NEW multiport dports 143,993,110,995,25,465,587 ...
```
Where the first `DROP` target will drop packets that have exceeded their hit count; the second `recent: SET` simply marks all matching packets to be added into the hitcount bucket and the third on is the actual `ACCEPT` rule permitting access **_if_** a source's hitcount permits it.