Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Defining Session Control Rules

You define session rate rules in the $FWDIR/conf/control_rules file. Use one line for each rule.

Each rule must contain the limit parameter. The other parameters are optional.

Important - Define rules as specifically as possible, so that more than one rule cannot apply to the same traffic. Overlapping rules can cause unpredictable results. We recommend that you explicitly define all parameters in each rule.

Rule Syntax

src <ip/mask> dst <ip/mask> dport <port> proto <protocol_id> limit <rate>

Parameter

Description

src <ip/mask>

Source IP address and net mask.

dst <ip/mask>

Destination IP address and net mask.

dport <port>

Destination port.

proto <protocol_id>

Protocol code, typically 6 (TCP) or 17 (UDP). To learn more about protocol codes, IANA protocol codes.

limit <rate>

Maximum number of new connections allowed per second.

Rule Examples

src * dst 1.1.1.0/24 dport 67 proto 17 limit 20

This rule defines a limit of 20 new connections per second for traffic going from any source to:

  • Network 1.1.1.0/24
  • Port 67
  • Using protocol 17 (UDP)

dst 1.1.1.1/32 dport 80 proto 6 limit 13

This rule defines a limit of 13 new connections per second for traffic going from any source to:

  • Network 1.1.1.1/32
  • Port 80
  • Using protocol 6 (TCP)

Notes

  • New connections in excess of the specified limit are dropped.
  • If you do not include a parameter, the rule applies to all values for that parameter. For example, if you do not include the src parameter, the rule applies to all servers.
  • The '*' character as a parameter value explicitly says that a rule applies to all values.
 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print