Defining Session Control Rules
You define session rate rules in the $FWDIR/conf/control_rules file. Use one line for each rule.
Each rule must contain the limit parameter. The other parameters are optional.
|
Important - Define rules as specifically as possible, so that more than one rule cannot apply to the same traffic. Overlapping rules can cause unpredictable results. We recommend that you explicitly define all parameters in each rule.
|
Rule Syntax
[src <ip>/<mask>] [dst <ip>/<mask>] [dport <port>] [proto <protocol_id>] [limit <rate>] [limit_ongoing 0|1]
Parameter
|
Description
|
src <ip>/<mask>
|
Source IP address and net mask
|
dst < <ip>/<mask>
|
Destination IP address and net mask
|
dport < port>
|
Destination port
|
proto < protocol_id>
|
Protocol code, typically 6 (TCP) or 17 (UDP)
To learn more about protocol codes, see IANA protocol codes.
|
limit < rate>
|
Maximum number of new connections allowed per second
|
limit_ongoing 0|1
|
0 - Do not limit the number of packets on an established connection1 - Limit the number of packets on an established connection
|
Rule Examples
src * dst 1.1.1.0/24 dport 67 proto 17 limit 20 limit_ongoing 1
This rule defines a limit of 20 new connections per second for traffic going from all sources to:
- Network 1.1.1.0/24
- Port 67
- Using protocol 17 (UDP)
- Including current connections
dst 1.1.1.1/32 dport 80 proto 6 limit 13
This rule defines a limit of 13 new connections per second for traffic going from all sources to:
- Network 1.1.1.1/32
- Port 80
- Using protocol 6 (TCP)
Notes
- New connections above the specified limit are dropped.
- If you do not include a parameter, the rule applies to all values for that parameter. For example, if you do not include the
src parameter, the rule applies to all servers. - The
* character as a parameter value explicitly says that a rule applies to all values.
|