[ratelimits] Logging category

Phil Mayers p.mayers at imperial.ac.uk
Thu May 9 15:51:38 UTC 2013

On 09/05/13 15:22, Vernon Schryver wrote:

> If the external scripting language cannot ignore irrelevant data
> at speed, then for my own systems I'd try `sed`, `grep`, or `awk`
> before trying to get BIND modified.

I'm not trying to get it modified; I'm trying to determine whether I 
need to do my own filtering or not, or whether the long-term plan was to 
have their own logging category.

> "Always" is a long time, but I don't understand why the "rate-limit"
> log category does not already fit the need for helping that external
> scripting language generate the iptables changes.  What about the
> notices about the start of rate limiting actions in the "rate-limit"
> category?

That seems to log the source IP after the mask has been applied, as 
opposed to the actual triggering IP. Entirely logical of course, given 
the way RRL works, but not quite what I'm looking for.

> I probably don't understand the problem.  The description,
> suggests the external script solves any overload problem as it installs
> firewall rules.  The DNS requests in a DNS reflection attack often
> come from many sources but appear at the DNS server to come from a
> single source, the intended target of the attack.  Don't the entries
> in the "queries" category disappeaer when the iptable rule is added?

The RRL entries, yes. The background query logging, obviously not. 
Essentially I'm trying to avoid processing the query logging, and only 
see the RRL logging. I'll stick a filter in the pipe and use that.

Thanks for the reply, and for the work on RRL.


More information about the ratelimits mailing list