Hi,
I have searched the forum and docs but been unable to answer this:
The connection-limit function limits each local IP to the specified tcp connection limit I do know. But is it possible to do it so the connections are limited to an ammount of connections per server on the internet and an overall limit per local IP also?
also can anybody from Mikrotik say if the Udp connlimit that is a patch available to netfilter/iptables will be added to Mirotik?
I'm using 2.8 right now.
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
Would it work if I specified:
0.0.0.0/32 as the src address and limit to 2 connections
would that limit each client to 2 connections per server on the internet
and if I added another rule:
0.0.0.0/24 as the dst address limit to say 10
would that give each client 2 connections per webserver and a max total of 10 all together with the subnet addressing a single machine and the next rule addressing the whole subnet?
Thanks for any replys and also for the previous reply
0.0.0.0/32 as the src address and limit to 2 connections
would that limit each client to 2 connections per server on the internet
and if I added another rule:
0.0.0.0/24 as the dst address limit to say 10
would that give each client 2 connections per webserver and a max total of 10 all together with the subnet addressing a single machine and the next rule addressing the whole subnet?
Thanks for any replys and also for the previous reply
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
/32 is going to mean a full 32 bit IP address (10.200.4.14/32)Would it work if I specified:
0.0.0.0/32 as the src address and limit to 2 connections
would that limit each client to 2 connections per server on the internet
and if I added another rule:
0.0.0.0/24 as the dst address limit to say 10
would that give each client 2 connections per webserver and a max total of 10 all together with the subnet addressing a single machine and the next rule addressing the whole subnet?
Thanks for any replys and also for the previous reply
so like...
Code: Select all
/ip firewall rule forward add src-address=10.10.10.5/32 limit-count=2to do a full /24 network it would look something like this...
Code: Select all
/ip firewall rule forward add src-address=10.10.10.0/24 limit-count=10now if you flipped the script and specified the dst-address that would only allow "x" ammount of connections to that specific host/network.
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
0.0.0.0/0 is used for default routes and wildcard (to mean all traffic).. if you specified a /32 it would only match packets with the src/dst of 0.0.0.0. Since that's not a valid IP address I dont think its going to match any traffic at all?So could the syntax:
0.0.0.0/32 to apply a connection limit to any individual dst address on the internet?
thanks.
I have sucessfully used the syntax:
0.0.0.0/24 dst address to limit connections to ALL hosts by x per local IP.
So it kinda makes sense that:
0.0.0.0/32 dst address would limit connections to EACH host by x per local IP
I will have to try it and let you know?
Also anybody know about the UDP connlimit patch for Netfilter would make it's way to MT
0.0.0.0/24 dst address to limit connections to ALL hosts by x per local IP.
So it kinda makes sense that:
0.0.0.0/32 dst address would limit connections to EACH host by x per local IP
I will have to try it and let you know?
Also anybody know about the UDP connlimit patch for Netfilter would make it's way to MT
I do not follow, what makes you think so? The 0.0.0.0/32 source address is for connections that router makes itself, and for which no source address has been determined yet. I have no idea how would the destination of 0.0.0.0/32 would be useful. Please enlighten us...0.0.0.0/32 dst address would limit connections to EACH host by x per local IP
Well I don't know for sure if it will work but it does make sense to me anyway!
It would theoretically apply to all individual connections but set a limit per each server IP rather than per all server IP's.
As above you will see the 0.0.0.0/24 applies the rule to a connection limit per LAN ip of x connections total max connections to the internet. I know that works OK.
But this has a problem with IE that some web pages with lots of adverts make many connections to limiting below say 50 causes browsing problems.
To address this issue I looked into limiting connections per server IP rather than an overall connlimit and nobody could really help so that was my best theory I figured that the 0.0.0.0 would apply to all connections and the subnet 32 would indicate each remote IP rather than all!
The general idea was to get some feedback and maybe the correct syntax to do what I want to do?? Maybe nobody does this kind of stuff. I only have to to get a satellite connection to be reliable and not many people use satellite broadband with it's limitations.
It would theoretically apply to all individual connections but set a limit per each server IP rather than per all server IP's.
As above you will see the 0.0.0.0/24 applies the rule to a connection limit per LAN ip of x connections total max connections to the internet. I know that works OK.
But this has a problem with IE that some web pages with lots of adverts make many connections to limiting below say 50 causes browsing problems.
To address this issue I looked into limiting connections per server IP rather than an overall connlimit and nobody could really help so that was my best theory I figured that the 0.0.0.0 would apply to all connections and the subnet 32 would indicate each remote IP rather than all!
The general idea was to get some feedback and maybe the correct syntax to do what I want to do?? Maybe nobody does this kind of stuff. I only have to to get a satellite connection to be reliable and not many people use satellite broadband with it's limitations.
Code: Select all
add proto=tcp tcp-options=syn connection-limit=5 action=dropCode:
add proto=tcp tcp-options=syn connection-limit=5 action=drop
Every computer can make no more than 4 TCP connections through the router.
I know that,
but I need to limit connections per internet IP address rather than a limit overall for all because that way will cause browsing problems and you would need to allow like 70 connections which would defeat the whole object of the task in the first place.
wildbill showed how to limit connections from a single client
you could use this next snippet for a specific server outside your network which you know the IP of:
so all of your clients would be limited to 20 connections to that server
this i believe you know and is not the question. are you trying to limit each client to a specific amount of outgoing connections? or limit your entire netork to a set amount of connections to every possible IP in the world?
Code: Select all
/ip firewall rule forward add src-address=10.10.10.5/32 limit-count=2
Code: Select all
/ip firewall rule forward add dst-address=165.165.165.165/32 limit-count=20
this i believe you know and is not the question. are you trying to limit each client to a specific amount of outgoing connections? or limit your entire netork to a set amount of connections to every possible IP in the world?
I know how to limit max connections outgoing and that works fine.
What I want to do is limit the number of connections per any server on the internet but not limit on total connections. I know that if I knew the IP of a server I can do that but I want to put a rule that will apply to any webserver address so a user can only open say one connection per web server but still be able to connect to multiple servers at the same time.
You will see an explanation of why this is necissary above.
What I want to do is limit the number of connections per any server on the internet but not limit on total connections. I know that if I knew the IP of a server I can do that but I want to put a rule that will apply to any webserver address so a user can only open say one connection per web server but still be able to connect to multiple servers at the same time.
You will see an explanation of why this is necissary above.
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
I do that also. You will only realise if I tell you we have to use a satellite link of 2mbps down and 512kbps up the satellite link is very good bandwidth wise and we pretty much get 2mbps all the time but the sat link is limited to 100 tcp connections. I have PCq the overall link to 2mbps/512kbps and each user is limited to 1mbps/256kbps. The problem is the connection limit on the link. I have about 100 computers on this network and when a user gets on p2p th econnection limit is always reached. I have limited the connections on ports below 80 to 10. port 80 to 60 and above port 80 to 5 connections to stop this sat link clogging up. This works pretty well but really I would like to do less connections on port 80 too but this will cause browsing problems on heavy adverted sites because each web server can open several connections and before you know it your getting timeouts. There needs to be a way to limit also the max connections to each and every web server without entering all the ip's.
The trade off is keeping the customers happy. You see if my firewallig is too agressive I will have complaints to deal with, but If I do it this way they do not realise it just stops their applications getting out of controll and maybe suffer some performance but who cares for p2p and aggressive stuff. It's just unfortunatly the big selling point for a brodband connection so to block is bad.
The trade off is keeping the customers happy. You see if my firewallig is too agressive I will have complaints to deal with, but If I do it this way they do not realise it just stops their applications getting out of controll and maybe suffer some performance but who cares for p2p and aggressive stuff. It's just unfortunatly the big selling point for a brodband connection so to block is bad.
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
There is, just make a rule with the dst and src 0.0.0.0/0 and set your connection limit to <100 that will limit all connections to sub 100 connections.. or whatever value you specify.There needs to be a way to limit also the max connections to each and every web server without entering all the ip's.
I use a rule similar to this to block SYN_flood attacks on my network.
This will limit all connections, ingoing/outgoing and for any protocol.
::EDIT::
You could even get more specific and create rules for ingress and egress traffic.. limit the incoming connections to something real low and allow more outgoing connections. Just specify your entire network in either the src/dst field.
Last edited by wildbill442 on Thu Mar 24, 2005 6:27 pm, edited 1 time in total.
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
You might also want to create a conn-limit for peer2peer applications specifically.. and limit that to like 5-10.. because those applications are going to make a lot of connections.
I know what you're saying, but if it's effecting your overall network performance and other users, I'd just assume block it until you can get a decent backhaul.
I know what you're saying, but if it's effecting your overall network performance and other users, I'd just assume block it until you can get a decent backhaul.
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
Code: Select all
0 in-interface=WAN protocol=tcp tcp-options=syn-only limit-count=100
limit-burst=10 limit-time=1s action=return
1 in-interface=WAN protocol=tcp tcp-options=syn-only action=drop
it returns "good" traffic and drops excessive syn attempts.
-
-
waylockwisp
just joined
- Posts: 15
- Joined:
- Location: Midwest USA
excessive syn attempts
I use a rule similar to this to block SYN_flood attacks on my network.
Code:
0 in-interface=WAN protocol=tcp tcp-options=syn-only limit-count=100
limit-burst=10 limit-time=1s action=return
1 in-interface=WAN protocol=tcp tcp-options=syn-only action=drop
I have a jump rule from the forward chain to this chain.
it returns "good" traffic and drops excessive syn attempts.
wildbill442, would be willing to elaborate a bit more on these syn_flood attacks with respects to any negatives to implementing this rule? How can I determine if 100 is the right amount for a given system? I'm trying to get up to speed on the various attacks, how to identify an attack on my system while it is occuring (or afterwards) and how to mitigate any potential damage through aggressive firewalling.
Thanks,
-CW
syn attack is when people send tcp packets with syn flag (from almost always spoofed source addresses) at such a rate that the victim computer gets it's resources exhausted (unable to make new connections that are valid or runs out memory/cpu time). Most stateful firewalls will roll over and crash or will be unable to forward/service valid requests because it's state table is full/memory exhausted.
Syn packets makes a request to open a socket and traditionally computers will allocate all the necessary resources for that socket when it receives the syn packet.
Syn floods are less useful to the attacker when recipient does not have any tcp ports open.
Syn floods are more lethal on a wireless lan due to the amount of packets generated, but then so is any other flood due to the low maximum of packets per second the 802.11 protocol will permit.
This is the most common attack as there is really no way to differentiate between a good or a bad syn packet so you kind of have to keep an eye out.
There are no ways to stop spoofed addresses unless everyone performs ingress filtering (not allowing invalid addresses to be forwarded/leave their network). If i was the proud owner of say 123.0.0.0/8 i would make sure that no packet could leave my network unless it had a valid 123.0.0.0/8 address. This should be enforced as early as possible in a network so that spoofing can not occurr internally in a network.
Google about the different floods, you will find it interesting and DoS does occur often, not because they know who you are or what services you have but most often customers mess with the wrong types of people in chat rooms.
Dont let your network be a haven for DDoS zombies, dont let spoofed packets run on your network.
Syn packets makes a request to open a socket and traditionally computers will allocate all the necessary resources for that socket when it receives the syn packet.
Syn floods are less useful to the attacker when recipient does not have any tcp ports open.
Syn floods are more lethal on a wireless lan due to the amount of packets generated, but then so is any other flood due to the low maximum of packets per second the 802.11 protocol will permit.
This is the most common attack as there is really no way to differentiate between a good or a bad syn packet so you kind of have to keep an eye out.
There are no ways to stop spoofed addresses unless everyone performs ingress filtering (not allowing invalid addresses to be forwarded/leave their network). If i was the proud owner of say 123.0.0.0/8 i would make sure that no packet could leave my network unless it had a valid 123.0.0.0/8 address. This should be enforced as early as possible in a network so that spoofing can not occurr internally in a network.
Google about the different floods, you will find it interesting and DoS does occur often, not because they know who you are or what services you have but most often customers mess with the wrong types of people in chat rooms.
Dont let your network be a haven for DDoS zombies, dont let spoofed packets run on your network.
-
-
wildbill442
Forum Guru
- Posts: 1055
- Joined:
- Location: Sacramento, CA
what he said ^^
http://cio.cisco.com/warp/public/707/4.html
I chose 100 because the filter is applied to residential users who are not allowed to run servers on my network, therefore should not need an excessive amount of inbound syn requests.
http://cio.cisco.com/warp/public/707/4.html
I chose 100 because the filter is applied to residential users who are not allowed to run servers on my network, therefore should not need an excessive amount of inbound syn requests.
-
-
waylockwisp
just joined
- Posts: 15
- Joined:
- Location: Midwest USA
Thank you!
I must say, that is probably the best response I've had thus far in this forum. Thank you very much. I appreciate the responses.
-CW
-CW
I have problem p2p-connection-limit :
rules
P2P does not work, cannot connect to the server and download anything.
I just want to limit connections to 100 per 1 s for p2p.
Is some thing wrong with that rules above?
thx for answer.
rules
Code: Select all
/ ip firewall rule forward
add src-address=192.168.1.0/24 flow=p2p-src-local p2p=all-p2p limit-count=100 limit-time=1s action=drop comment="" \
disabled=no
add dst-address=192.168.1.0/24 flow=p2p-dst-local p2p=all-p2p limit-count=100 limit-time=1s action=drop comment="" \
disabled=no
[...]
/ ip firewall mangle
add src-address=192.168.1.0/24 p2p=all-p2p action=passthrough mark-flow=p2p-src-local comment="" disabled=no
add dst-address=192.168.1.0/24 p2p=all-p2p action=passthrough mark-flow=p2p-dst-local comment="" disabled=no
I just want to limit connections to 100 per 1 s for p2p.
Is some thing wrong with that rules above?
thx for answer.