Defining Session Control Rules
You define session rate rules in the $FWDIR/conf/control_rules file. Use one line for each rule.
Each rule must contain the limit parameter. The other parameters are optional.
|
Important - Define rules as specifically as possible, so that more than one rule cannot apply to the same traffic. Overlapping rules can cause unpredictable results. We recommend that you explicitly define all parameters in each rule.
|
Rule Syntax
src <ip/mask> dst <ip/mask> dport <port> proto <protocol_id> limit <rate>
Parameter
|
Description
|
src <ip/mask>
|
Source IP address and net mask.
|
dst <ip/mask>
|
Destination IP address and net mask.
|
dport <port>
|
Destination port.
|
proto <protocol_id>
|
Protocol code, typically 6 (TCP) or 17 (UDP). To learn more about protocol codes, IANA protocol codes.
|
limit <rate>
|
Maximum number of new connections allowed per second.
|
Rule Examples
src * dst 1.1.1.0/24 dport 67 proto 17 limit 20
This rule defines a limit of 20 new connections per second for traffic going from any source to:
- Network 1.1.1.0/24
- Port 67
- Using protocol 17 (UDP)
dst 1.1.1.1/32 dport 80 proto 6 limit 13
This rule defines a limit of 13 new connections per second for traffic going from any source to:
- Network 1.1.1.1/32
- Port 80
- Using protocol 6 (TCP)
Notes
- New connections in excess of the specified limit are dropped.
- If you do not include a parameter, the rule applies to all values for that parameter. For example, if you do not include the
src parameter, the rule applies to all servers. - The '*' character as a parameter value explicitly says that a rule applies to all values.
|
