Re: question about ssh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 30 Dec 2004, Dario Lesca wrote:

> Il gio, 2004-12-30 alle 14:30, Steven Stern ha scritto:
> > On Thu, 30 Dec 2004 21:19:35 +0800, chi <chi@xxxxxxxxxxxxxxxxxx> wrote:
>
> > I did three things.
> > ...
>
> .. and via iptables?
>
> it is possible allow only 2 or 3 access every 5/10 minutes with
> --limit-burst option?

you're being kind of vague here.  is it 2 or 3?  is it every 5 or 10
minutes?

once upon a time, i figured out how the whole "--limit" and
"limit-burst" thing worked, and the man page really makes it more
complicated than it has to be.

consider an example involving both of:

	--limit 5/minute
	--limit-burst 10

think of the above as follows:  you start with a bucket (for you
statisticians, that would be "urn") with 10 tokens.  every time you
get an arrival that you're limiting, you pay for it with a token out
of the urn.  5 times per minute (every 12 seconds), a token is dropped
into the bucket for you to regularly replenish your supply.  but the
limit-burst means you are never allowed to hold more than 10 tokens at
a time.

so how does a burst affect this?  if you suddenly get whacked hard
with lots of packets, you have enough tokens to allow the first 10,
after which you reject all the rest except for one every 12 seconds,
when you get a new token in the urn, and you use that new token almost
immediately if you're getting lots of traffic.

only when things slow down do you get the chance to start gradually
building up your stock of tokens in the urn (again, up to a maximum of
10).

rday

p.s.  hmmm ... i just checked the iptables man page and, strangely, it
seems to follow the above explanation a lot more closely than it used
to.  how odd.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux