summaryrefslogtreecommitdiff
path: root/conf-tmpl
diff options
context:
space:
mode:
Diffstat (limited to 'conf-tmpl')
-rw-r--r--conf-tmpl/Changelog.txt4
-rw-r--r--conf-tmpl/packet_athena.conf35
2 files changed, 25 insertions, 14 deletions
diff --git a/conf-tmpl/Changelog.txt b/conf-tmpl/Changelog.txt
index fc194dca4..a78ae35fd 100644
--- a/conf-tmpl/Changelog.txt
+++ b/conf-tmpl/Changelog.txt
@@ -1,5 +1,9 @@
Date Added
+2007/01/12
+ * Updated the information about ip rules and DDoS protection in
+ packet_athena.conf and commented out the line "allow: all" so
+ connections are rejected when a DDoS is detected. [FlavioJS]
2007/01/08
* Added the console plugin to plugin_athena.conf commented out. [FlavioJS]
2007/01/05
diff --git a/conf-tmpl/packet_athena.conf b/conf-tmpl/packet_athena.conf
index d654a0e35..22d44c1d1 100644
--- a/conf-tmpl/packet_athena.conf
+++ b/conf-tmpl/packet_athena.conf
@@ -17,40 +17,47 @@ mode_neg: yes
//----- IP Rules Settings -----
-// Do we check IP's before allowing incoming connections?
+// If IP's are checked when connecting.
+// This also enables DDoS protection.
enable_ip_rules: yes
-// Decide the order of access restriction (Same as apache?)
-// deny,allow Is the standard
+// Order of the checks
+// deny,allow : Checks deny rules, then allow rules. Allows if no rules match.
+// allow,deny : Checks allow rules, then deny rules. Allows if no rules match.
+// mutual-failure : Allows only if an allow rule matches and no deny rules match.
+// (default is deny,allow)
order: deny,allow
// order: allow,deny
// order: mutual-failture
-// The IP list which it uses to access controls
-// allow : Allows access regardless of permissions
-// deny : Completely disallow
-// Žw’è–³‚µ : If the permission check encounters mutual-failure(whatever that means) it will disallow access
+// IP rules
+// allow : Accepts connections from the ip range (even if flagged as DDoS)
+// deny : Rejects connections from the ip range
+// The rules are processed in order, the first matching rule of each list (allow and deny) is used
// allow: 127.0.0.1
// allow: 192.168.0.0/16
// allow: 10.0.0.0/255.0.0.0
-allow: all
+// allow: all
// deny: 127.0.0.1
-//---- Ddos Protection Settings ----
-// If there is a connection request within ddos_interval msec for ddos_count number of times, it will assume it is a ddos attack
+//---- DDoS Protection Settings ----
+// If ddos_count connection request are made within ddos_interval msec, it assumes it's a DDoS attack
-// Consecutive intervals(msec)
+// Consecutive attempts interval (msec)
+// (default is 3000 msecs, 3 seconds)
ddos_interval: 3000
-// Connection frequency
+// Consecutive attempts trigger
+// (default is 10 attemps)
ddos_count: 5
-// The time interval after which the threat of ddos is assumed to be gone
-// After this amount of time, the ddos restrictions are lifted.
+// The time interval after which the threat of DDoS is assumed to be gone. (msec)
+// After this amount of time, the DDoS restrictions are lifted.
+// (default is 600000 msecs, 10 minutes)
ddos_autoreset: 600000