Provided by: sanewall-doc_1.0.2+ds-2_all bug

NAME
       sanewall-protection - add extra protections to a definition


SYNOPSIS
       protection [reverse] flood-protection-type [requests/period [burst]]

       protection [reverse] strong [requests/period [burst]]

       protection [reverse] {bad-packets | packet-protection-type }


DESCRIPTION
       The protection subcommand sets protection rules on an interface or router.

       Flood protections honour the options requests/period and burst. They are used to limit the
       rate of certain types of traffic.

       The default rate Sanewall uses is 100 operations per second with a burst of 50. Run
       iptables -m limit --help for more information.

       The protection type strong will switch on all protections (both packet and flood
       protections) except all-floods. It has aliases full and all.

       The protection type bad-packets will switch on all packet protections but not flood
       protections.

       You can specify multiple protection types by using multiple protection commands or in a
       single command by enclosing the types in quotes.

           Note
           On a router, protections are normally set up on inface.

           The reverse option will set up the protections on outface. You must use it as the
           first keyword.


PACKET PROTECTION TYPES
       invalid
           Drops all incoming invalid packets, as detected INVALID by the connection tracker.

           See also SANEWALL_DROP_INVALID in control variables: sanewall-variables(5) which
           allows setting this function globally.

       fragments
           Drops all packet fragments.

           This rule will probably never match anything since iptables(8) reconstructs all
           packets automatically before the firewall rules are processed whenever connection
           tracking is running.

       new-tcp-w/o-syn
           Drops all TCP packets that initiate a socket but have not got the SYN flag set.

       malformed-xmas
           Drops all TCP packets that have all TCP flags set.

       malformed-null
           Drops all TCP packets that have all TCP flags unset.

       malformed-bad
           Drops all TCP packets that have illegal combinations of TCP flags set.


FLOOD PROTECTION TYPES
       icmp-floods [requests/period [burst]]
           Allows only a certain amount of ICMP echo requests.

       syn-floods [requests/period [burst]]
           Allows only a certain amount of new TCP connections.

           Be careful to not set the rate too low as the rule is applied to all connections
           regardless of their final result (rejected, dropped, established, etc).

       all-floods [requests/period [burst]]
           Allows only a certain amount of new connections.

           Be careful to not set the rate too low as the rule is applied to all connections
           regardless of their final result (rejected, dropped, established, etc).


EXAMPLES
           protection strong

           protection "invalid new-tcp-w/o-syn"

           protection syn-floods 90/sec 40


BUGS
       When using multiple types in a single command, if the quotes are forgotten, incorrect
       rules will be generated without warning.

       When using multiple types in a single command, Sanewall will silently ignore any types
       that come after a group type (bad-packets, strong and its aliases). Only use group types
       on their own line.


SEE ALSO
           Sanewall program: sanewall(1)
           Sanewall configuration: sanewall.conf(5)
           interface definition: sanewall-interface(5)
           router definition: sanewall-router(5)


AUTHOR
       Sanewall Team


COPYRIGHT
       Copyright © 2012, 2013 Phil Whineray <phil@sanewall.org>