From a56e294fa87d663ca67bdb1002d2b75c10e64c78 Mon Sep 17 00:00:00 2001 From: FlavioJS Date: Fri, 12 Jan 2007 13:51:38 +0000 Subject: - Cleaned up the ip rules/DDoS section of the code. (the allow,deny and deny,allow cases were switched) - Updated the information about ip rules and DDoS protection in packet_athena.conf and commented out the line "allow: all" so connections are rejected when a DDoS is detected. git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@9647 54d463be-8e91-2dee-dedb-b68131a5f0ec --- conf-tmpl/packet_athena.conf | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) (limited to 'conf-tmpl/packet_athena.conf') diff --git a/conf-tmpl/packet_athena.conf b/conf-tmpl/packet_athena.conf index d654a0e35..22d44c1d1 100644 --- a/conf-tmpl/packet_athena.conf +++ b/conf-tmpl/packet_athena.conf @@ -17,40 +17,47 @@ mode_neg: yes //----- IP Rules Settings ----- -// Do we check IP's before allowing incoming connections? +// If IP's are checked when connecting. +// This also enables DDoS protection. enable_ip_rules: yes -// Decide the order of access restriction (Same as apache?) -// deny,allow Is the standard +// Order of the checks +// deny,allow : Checks deny rules, then allow rules. Allows if no rules match. +// allow,deny : Checks allow rules, then deny rules. Allows if no rules match. +// mutual-failure : Allows only if an allow rule matches and no deny rules match. +// (default is deny,allow) order: deny,allow // order: allow,deny // order: mutual-failture -// The IP list which it uses to access controls -// allow : Allows access regardless of permissions -// deny : Completely disallow -// Žw’è–³‚µ : If the permission check encounters mutual-failure(whatever that means) it will disallow access +// IP rules +// allow : Accepts connections from the ip range (even if flagged as DDoS) +// deny : Rejects connections from the ip range +// The rules are processed in order, the first matching rule of each list (allow and deny) is used // allow: 127.0.0.1 // allow: 192.168.0.0/16 // allow: 10.0.0.0/255.0.0.0 -allow: all +// allow: all // deny: 127.0.0.1 -//---- Ddos Protection Settings ---- -// If there is a connection request within ddos_interval msec for ddos_count number of times, it will assume it is a ddos attack +//---- DDoS Protection Settings ---- +// If ddos_count connection request are made within ddos_interval msec, it assumes it's a DDoS attack -// Consecutive intervals(msec) +// Consecutive attempts interval (msec) +// (default is 3000 msecs, 3 seconds) ddos_interval: 3000 -// Connection frequency +// Consecutive attempts trigger +// (default is 10 attemps) ddos_count: 5 -// The time interval after which the threat of ddos is assumed to be gone -// After this amount of time, the ddos restrictions are lifted. +// The time interval after which the threat of DDoS is assumed to be gone. (msec) +// After this amount of time, the DDoS restrictions are lifted. +// (default is 600000 msecs, 10 minutes) ddos_autoreset: 600000 -- cgit v1.2.3-70-g09d2