- Cleaned up the ip rules/DDoS section of the code. (the allow,deny and deny,allow cases were switched)

- Updated the information about ip rules and DDoS protection in packet_athena.conf and commented out the line "allow: all" so connections are rejected when a DDoS is detected.

git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@9647 54d463be-8e91-2dee-dedb-b68131a5f0ec

2 files changed, 25 insertions, 14 deletions

diff --git a/conf-tmpl/Changelog.txt b/conf-tmpl/Changelog.txt
index fc194dca4..a78ae35fd 100644
--- a/conf-tmpl/Changelog.txt
+++ b/conf-tmpl/Changelog.txt
@@ -1,5 +1,9 @@
 Date	Added
 
+2007/01/12
+	* Updated the information about ip rules and DDoS protection in 
+	  packet_athena.conf and commented out the line "allow: all" so 
+	  connections are rejected when a DDoS is detected. [FlavioJS]
 2007/01/08
 	* Added the console plugin to plugin_athena.conf commented out. [FlavioJS]
 2007/01/05
diff --git a/conf-tmpl/packet_athena.conf b/conf-tmpl/packet_athena.conf
index d654a0e35..22d44c1d1 100644
--- a/conf-tmpl/packet_athena.conf
+++ b/conf-tmpl/packet_athena.conf
@@ -17,40 +17,47 @@ mode_neg: yes
 
 //----- IP Rules Settings -----
 
-// Do we check IP's before allowing incoming connections?
+// If IP's are checked when connecting.
+// This also enables DDoS protection.
 enable_ip_rules: yes
 
-// Decide the order of access restriction (Same as apache?)
-// deny,allow Is the standard
+// Order of the checks
+//   deny,allow     : Checks deny rules, then allow rules. Allows if no rules match.
+//   allow,deny     : Checks allow rules, then deny rules. Allows if no rules match.
+//   mutual-failure : Allows only if an allow rule matches and no deny rules match.
+// (default is deny,allow)
 
 order: deny,allow
 // order: allow,deny
 // order: mutual-failture
 
-// The IP list which it uses to access controls
-//   allow    : Allows access regardless of permissions
-//   deny     : Completely disallow
-//   Žw’è–³‚µ : If the permission check encounters mutual-failure(whatever that means) it will disallow access
+// IP rules
+//   allow : Accepts connections from the ip range (even if flagged as DDoS)
+//   deny  : Rejects connections from the ip range
+// The rules are processed in order, the first matching rule of each list (allow and deny) is used
 
 // allow: 127.0.0.1
 // allow: 192.168.0.0/16
 // allow: 10.0.0.0/255.0.0.0
-allow: all
+// allow: all
 
 // deny: 127.0.0.1
 
 
-//---- Ddos Protection Settings ----
-//     If there is a connection request within ddos_interval msec for ddos_count number of times, it will assume it is a ddos attack
+//---- DDoS Protection Settings ----
+// If ddos_count connection request are made within ddos_interval msec, it assumes it's a DDoS attack
 
-// Consecutive intervals(msec)
+// Consecutive attempts interval (msec)
+// (default is 3000 msecs, 3 seconds)
 ddos_interval: 3000
 
-// Connection frequency
+// Consecutive attempts trigger
+// (default is 10 attemps)
 ddos_count: 5
 
-// The time interval after which the threat of ddos is assumed to be gone
-// After this amount of time, the ddos restrictions are lifted.
+// The time interval after which the threat of DDoS is assumed to be gone. (msec)
+// After this amount of time, the DDoS restrictions are lifted.
+// (default is 600000 msecs, 10 minutes)
 ddos_autoreset: 600000