拒绝服务 – Synology DSM 5中启用DoS保护的作用是什么？

“DSM 5.2-5644 Update 5”上的iptables-save输出：

关闭DoS保护：

# Generated by iptables-save v1.4.21 on Sat Feb 20 23:23:24 2016
*filter
:INPUT ACCEPT [6161:1075680]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5604:2995833]
:DEFAULT_INPUT - [0:0]
-A INPUT -j DEFAULT_INPUT
-A DEFAULT_INPUT -p tcp -m tcp --sport 53 -m length --length 2048:65535 -j DROP
-A DEFAULT_INPUT -p udp -m udp --sport 53 -m length --length 2048:65535 -j DROP
COMMIT
# Completed on Sat Feb 20 23:23:24 2016

使用DoS保护：

# Generated by iptables-save v1.4.21 on Sat Feb 20 23:24:27 2016
*filter
:INPUT ACCEPT [10:1306]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:2003]
:DEFAULT_INPUT - [0:0]
:DOS_PROTECT - [0:0]
-A INPUT -j DOS_PROTECT
-A INPUT -j DEFAULT_INPUT
-A DEFAULT_INPUT -p tcp -m tcp --sport 53 -m length --length 2048:65535 -j DROP
-A DEFAULT_INPUT -p udp -m udp --sport 53 -m length --length 2048:65535 -j DROP
-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK RST -j DROP
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK SYN -m limit --limit 10000/sec --limit-burst 100 -j RETURN
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK SYN -j DROP
COMMIT
# Completed on Sat Feb 20 23:24:27 2016

sysctl -a的相应输出之间没有相关的更改(仅运行时值更改,如inode编号)

在所有情况下,tc -p类显示dev eth0和tc -p qdisc show dev eth0显示默认设置.

> tc -p class show dev eth0
class mq :1 root 
class mq :2 root 
class mq :3 root 
class mq :4 root 
class mq :5 root 
class mq :6 root 
class mq :7 root 
class mq :8 root 
> tc -p qdisc show dev eth0
qdisc mq 0: root