A firewall won't identify attacks by itself. It can log incoming traffic and then let you identify an attack either through manual analysis of the logs or with the help of an IDS like Snort. You can use the firewall to block hosts that have attacked you.
You can also use rate limiting in the firewall to slow down or cap the rate of incoming connections. Here is one example for ICMP:
Code:
iptables -A INPUT -p icmp --icmp-type echo-request \
-m limit --limit 1/s -i eth0 -j ACCEPT
However, if the scan is distributed and comes from many source hosts then limiting won't help.
Bookmarks