Marcus Meissner wrote:
On Thu, Apr 04, 2013 at 05:39:53PM +0200, Per Jessen wrote:
Togan Muftuoglu wrote:
On 04/04/2013 03:49 PM, Per Jessen wrote:
Here is what used to have:
## SIP flood protection $IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -m recent --name sipattack --set $IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -m recent --name sipattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SIP attack: ' $IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -m recent --name sipattack --update --seconds 60 --hitcount 6 -j DROP
I don't currently have any external SIP users, but I'm pretty certain the above also gave legitimate users a problem. I'm wondering if it is because the firewall needs to look into the SIP packet to be able to determine what it is.
In addition I have FW_EXT_UDP=10000:20000 since my rtf.conf is
rtpstart=10000 rtpend=20000
Yes, I also have those open
# SIP traffic $IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -j ACCEPT
Well if you do this, they are of course not hitting the RECENT matcher.
No, my SIP flood protect rules are placed before that accept-rule. -- Per Jessen, Zürich (8.1°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org