limit connection count on a PER IP basis

kchris · Sat Oct 22, 2005 9:19 pm

hi!

Is this possible to limit the tcp connection count (or syn packet count) on a per (source) IP basis without creating rules for each IP address?

I think if I create a global limit (per block basis) then one host (with a virus or something that sends many SYN packets) can send most of its packets (within the limit of course) and the other pcs cant (trying to web-browsing or something harmless)..

Sun Oct 23, 2005 3:09 pm

yes,
/ip firewall filter add action=drop connection-limit=5,32 protocol=tcp tcp-flags=syn, chain=forward
this rule limits to 6 conections for each user.

spire2z · Thu Oct 27, 2005 3:16 pm

Out of interest what version is this rule for?

Also what is the 5,32 ?

Thanks

Thu Oct 27, 2005 3:23 pm

Syntax is for 2.9 version (2.9.6).
5 is allowed connections, 32 is netmask, which set limit to each user in the network.

ConnectionLimit ::= [!]Limit,Netmask
Netmask ::= IpNetmask | Num
IpNetmask ::= A.B.C.D
Num ::= 0..32 (integer number)
Limit ::= 0..4294967295 (integer number)

spire2z · Thu Oct 27, 2005 3:40 pm

I tried that rule on 2.8 and it won't accept it. Do you know of a way to do a connection limit per client IP on 2.8?

Thu Oct 27, 2005 3:42 pm

/ip firewall rule forward add protocol=tcp tcp-options=syn-only connection-limit=5 action=drop

spire2z · Thu Oct 27, 2005 3:47 pm

So do you think for sure with that rule that it would only limit per client address on 2.8? I can't tell if it's doing it per client or 1 rule for all?

Thu Oct 27, 2005 3:59 pm

rule limits to 4 connections per each user.
Note, p2p traffic may create much more particular connections.

spire2z · Thu Oct 27, 2005 5:54 pm

Thanks my man.

r3lax · Fri Oct 28, 2005 9:44 am

is there a way to limit the bantwith of this connections ?

/ip firewall rule forward add protocol=tcp tcp-options=syn-only connection-limit=5 action=drop

here are 5 undropped connections. and i want setup a bantwith limit for theese 5 undropped connections ie. 64000 bytes.

Fri Oct 28, 2005 12:51 pm

Add simple queue with target-address and requested limit.

r3lax · Fri Oct 28, 2005 4:06 pm

Add simple queue with target-address and requested limit.

Sorry but i couldent do it right...

i dont want to limit the servers bantwith.

i have a C Class ip for my servers.. 123.123.123.0/24

The interface names are local and remote...

internet users are connecting to my servers from different unknown ip adresses.. i want to limit the bantwidth of this unknown ips.

no body should access faster than 256KBPS.