Well the EXTRA Tab anyway
In true beginner fashion I am exploring where I should not go...............
Specifically I am trying to fathom the settings on the EXTRA tab for FILTER RULES.
To illustrate answers lets look at a simple case of filtering ALL ports on the input side...............
Where, if the rule is triggered, the offending IP address is captured to an address list!
1. Do the Extra parameters interact or have dependencies or are they all independently acting?
2. Connections: The physical number is easy, but what is netmask doing there as an option??
3. Limit: What is the difference between a setting of ONE "1" per second, versus ZERO "0" per second.
4. Is there a relationship between the number of connections parameter and the Limit?
For example if I have 100 connections and a limit of 1 per second, does the rule trigger if there are 100 connections or greater in 100 seconds?
If so, then if I have 100 connections and a limit of 2 per second, does the rule trigger if there are 100 connections or greater in 30 seconds?
5. How does burst figure in the LImit Rule (default is 5).
For example does it mean that bursts are allowed but if its greater than 5 per second then trigger the rule????
6. PSD, this is a strange one, looks like another type of connections plus limit but applied via a relative weighting scheme that really looks at short bits of time..........
From my understanding the default settings of 21, 3sec, 3, 1 means the following:
Set an arbitrary threshold value of 21 (means nothing as its all relative).
Set a time period for which this parameter would be assessed (measure contiguous time periods) in this case every 3 seconds.
Set an arbitrary value to any low port that is included in the rule and in this case 3 (assumes low ports are scanned more than high ports).
Set an arbitrary value to any high port that is included in the rule and in this case 1
Thus if within a 3 second block the value of all ports hit by this rule exceeds 21, then capture the IP.
7. What is the relationship between the Limit parameters and the PSD parameters. In other words, does the rule trigger for an either OR case or a both AND case???
Thanks in advance!!