On Jun 8, 2012, at 1:11 PM, Stephane Bortzmeyer wrote: > On Fri, Jun 08, 2012 at 12:56:23PM -0700, > Owen DeLong <o...@delong.com> wrote > a message of 28 lines which said: > >> IPv6 should be a simple matter of putting the same line in your >> ip6tables file. > > My experience with attack mitigation is that tools do not always work > as advertised and sometimes do bad things (such as crashing the > machine). So, I agree, it "should be a simple matter" but I prefer to > test first. > I'm using a much simpler:
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j ACCEPT (v4 and v6 identical rules) and it seems to be working so far. YMMV. > [For instance, my IPv4 rule required a maximum of 2^28 buckets in > memory while an IPv6 rule with --hashlimit-srcmask 64 would require a > maximum of 2^64 buckets... What will be the effect on the system > memory?] > True, but, if you leave 28 in place, it will only require 2^28 buckets for IPv6 as well. You might want to bump up the allowed qps since there can be quite a few more hosts per /28, but, otherwise should still be reasonably feasible. Owen
