Secure Computing SG570 Uživatelský manuál Strana 310

  • Stažení
  • Přidat do mých příruček
  • Tisk
  • Strana
    / 341
  • Tabulka s obsahem
  • ŘEŠENÍ PROBLÉMŮ
  • KNIHY
  • Hodnocené. / 5. Na základě hodnocení zákazníků
Zobrazit stránku 309
If we just wanted to look at traffic that went out to the IPSec world, we could use:
iptables -I FORWARD -j LOG -o IPSec+
Clearly there are many more combinations possible.
It is therefore possible to write rules that log inbound and outbound traffic, or to construct
several rules that differentiate between the two.
Rate Limiting
iptables has the facility for rate-limiting the log messages that are generated, in order to
avoid denial of service issues arising out of logging these access attempts. To achieve
this, use the following option:
--limit rate
rate is the maximum average matching rate, specified as a number with an
optional /second, /minute, /hour, or /day suffix. The default is 3/hour.
--limit-burst number
number is the maximum initial number of packets to match. This number gets
recharged by one every time the limit specified above is not reached, up to this
number. The default is 5.
iptables has many more options. Perform a web search for manpage iptables to find the
relevant documentation.
The LOG rules configured by default (e.g. Default Deny:) are all limited to:
--limit 3/hour --limit-burst 5
304
Appendix B – System Log
Zobrazit stránku 309
1 2 ... 305 306 307 308 309 310 311 312 313 314 315 ... 340 341

Komentáře k této Příručce

Žádné komentáře