On Jun 8, 2012, at 1:11 PM, Stephane Bortzmeyer wrote:
On Fri, Jun 08, 2012 at 12:56:23PM -0700, Owen DeLong <owen@delong.com> wrote a message of 28 lines which said:
IPv6 should be a simple matter of putting the same line in your ip6tables file.
My experience with attack mitigation is that tools do not always work as advertised and sometimes do bad things (such as crashing the machine). So, I agree, it "should be a simple matter" but I prefer to test first.
I'm using a much simpler: -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j ACCEPT (v4 and v6 identical rules) and it seems to be working so far. YMMV.
[For instance, my IPv4 rule required a maximum of 2^28 buckets in memory while an IPv6 rule with --hashlimit-srcmask 64 would require a maximum of 2^64 buckets... What will be the effect on the system memory?]
True, but, if you leave 28 in place, it will only require 2^28 buckets for IPv6 as well. You might want to bump up the allowed qps since there can be quite a few more hosts per /28, but, otherwise should still be reasonably feasible. Owen