Hello,

I cannot understand well the principle of work the "Connection Limit" rule in the Firewall/Filter. Should it be placed above or beyond the rule which allow all already established connections?

The rule "action=accept connection-state=established" should be placed as early as possible (ideally, first) in any firewall filter chain for performance reasons. After it you should place other rules that limit the creation of new connections. Connection-limit can be used as one of the matchers in those rules.

Yes, I know, but it seems that Established Connections rule should be beyond the Connection Limit because it cannot calculate all established connections then. In any case there is should be some kind of advanced documentation which will describe such things.