fwaccel dos config

In the R81.10.X releases, this command is available starting from the versions R81.10.15 JHF (Build B996004039) and R81.10.17.

Description

The "fwaccel dos config" and "fwaccel6 dos config" commands control the global configuration parameters of the Rate Limiting for DoS mitigation in SecureXL.

These global parameters apply to all configured Rate Limiting rules.

Important - In a Cluster, you must configure all the Cluster Members in the same way.

Syntax for IPv4

fwaccel dos config

      get

      set

            {--disable-deny-list | --enable-deny-list}

            {--disable-drop-frags | --enable-drop-frags}

            {--disable-drop-opts | --enable-drop-opts}

            {--disable-internal | --enable-internal}

            {--disable-log-drops | --enable-log-drops}

            {--disable-log-pbox | --enable-log-pbox}

            {--disable-monitor | --enable-monitor}

            {--disable-pbox | --enable-pbox}

            {--disable-rate-limit | --enable-rate-limit}

            {--disable-rule-cache | --enable-rule-cache}

            {-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}

            {-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}

            {-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

Syntax for IPv6

fwaccel6 dos config

      get

      set

            {--disable-deny-list | --enable-deny-list}

            {--disable-drop-frags | --enable-drop-frags}

            {--disable-drop-opts | --enable-drop-opts}

            {--disable-internal | --enable-internal}

            {--disable-log-drops | --enable-log-drops}

            {--disable-log-pbox | --enable-log-pbox}

            {--disable-monitor | --enable-monitor}

            {--disable-pbox | --enable-pbox}

            {--disable-rate-limit | --enable-rate-limit}

            {--disable-rule-cache | --enable-rule-cache}

            {-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}

            {-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}

            {-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

Parameters and Options

Parameter or Option

Description

No Parameters

Shows the applicable built-in usage.

get

Shows the configuration parameters.

set <options>

Configuration the parameters.

--disable-deny-list

Disables the IP deny-lists.

This is the default configuration.

--disable-drop-frags

Disables the drops of all fragmented packets. This is the default configuration.

--disable-drop-opts

Disables the drops of all packets with IP options.

This is the default configuration.

--disable-internal

Disables the enforcement on internal interfaces.

This is the default configuration.

--disable-log-drops

Disables the notifications when the DoS module drops a packet due to rate limiting policy.

--disable-log-pbox

Disables the notifications when administrator adds an IP address to the penalty box.

--disable-monitor

Disables the monitor-only mode.

This is the default configuration.

This command affects all Rate Limiting features.

Also, see the fwaccel dos deny command.

--disable-pbox

Disables the IP penalty box.

This is the default configuration.

Also, see the fwaccel dos pbox command.

--disable-rate-limit

Disables the enforcement of the rate limiting policy.

This is the default configuration.

--disable-rule-cache

Disables the caching of Rate Limiting rule matches.

This optimizes the performance for large numbers of connections-per-second.

--enable-deny-list

Enables IP deny-lists.

Also, see the fwaccel dos deny command.

--enable-drop-frags

Enables the drops of all fragmented packets.

--enable-drop-opts

Enables the drops of all packets with IP options.

--enable-internal

Enables the enforcement on internal interfaces.

--enable-log-drops

Enables the notifications when the DoS module drops a packet due to rate limiting policy.

This is the default configuration.

--enable-log-pbox

Enables the notifications when administrator adds an IP address to the penalty box.

This is the default configuration.

--enable-monitor

Enables the monitor-only mode (accepts all packets that otherwise are dropped).

This command affects all Rate Limiting features.

Also, see the fwaccel dos deny command.

--enable-pbox

Enables the IP penalty box.

Also, see the fwaccel dos pbox command.

--enable-rate-limit

Enables the enforcement of the rate limiting policy.

Important - After you run this command, you must install the Access Control policy.

--enable-rule-cache

Enables the caching of Rate Limiting rule matches.

This optimizes the performance for large numbers of packets-per-connection.

This is the default configuration.

-n <NOTIF_RATE>

--notif-rate <NOTIF_RATE>

Configures the maximal number of drop notifications per second for each SecureXL device.

Range: 0 - (232-1)

Default: 100

-p <PBOX_RATE>

--pbox-rate <PBOX_RATE>

Configures the minimal number of reported dropped packets before SecureXL adds a source IPv4 address to the penalty box.

Range: 0 - (232-1)

Default: 500

-t <PBOX_TMO>

--pbox-tmo <PBOX_TMO>

Configures the number of seconds until SecureXL removes an IP is from the penalty box.

Range: 0 - (232-1)

Default: 180

Example 1 - Get the current DoS configuration

[Expert@MyGW]# fwaccel dos config get
    rate limit: enabled (without policy)
    rule cache: enabled
          pbox: disabled
     deny list: enabled (without policy)
    drop frags: disabled
     drop opts: disabled
      internal: enabled
       monitor: disabled
     log drops: enabled
      log pbox: enabled
    notif rate: 100 notifications/second
     pbox rate: 500 packets/second
      pbox tmo: 180 seconds
[Expert@MyGW]#

Example 2 - Enabling the Penalty Box

[Expert@MyGW]# fwaccel dos config set --enable-pbox
OK
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos config get
    rate limit: enabled (without policy)
    rule cache: enabled
          pbox: enabled
     deny list: enabled (without policy)
    drop frags: disabled
     drop opts: disabled
      internal: enabled
       monitor: disabled
     log drops: enabled
      log pbox: enabled
    notif rate: 100 notifications/second
     pbox rate: 500 packets/second
      pbox tmo: 180 seconds
[Expert@MyGW]#

Making the configuration persistent

The settings defined with the "fwaccel dos config set" and the "fwaccel6 dos config set" commands return to their default values during each reboot. To make these settings persistent, add the applicable commands to these configuration files:

File

Description

$FWDIR/conf/fwaccel_dos_rate_on_install

This shell script for IPv4 must contain only the "fwaccel dos config set" commands:

#!/bin/bash
fwaccel dos config set <options>

$FWDIR/conf/fwaccel6_dos_rate_on_install

This shell script for IPv6 must contain only the "fwaccel6 dos config set" commands:

#!/bin/bash
fwaccel6 dos config set <options>

Notes:

  • To create or edit these files, log in to the Expert mode.

  • If these files do not already exist, create them with one of these commands:

    • touch $FWDIR/conf/<Name of File>

    • vi $FWDIR/conf/<Name of File>

  • These files must start with the "#!/bin/bash" line.

  • These files must end with a new empty line.

  • After you edit these files, you must assign the execute permission to them:

    chmod +x $FWDIR/conf/<Name of File>

Example of a $FWDIR/conf/fwaccel_dos_rate_on_install file: 

!/bin/bash
fwaccel dos config set --enable-internal
fwaccel dos config set --enable-pbox