Page 1 of 1
how to block kama sutra?
Posted: Fri Feb 03, 2006 9:01 am
by Hellbound
hi guys
it seems that my network connection tracking is few thousands which is weird from IPs doesn't exist on network to the server and it is slowing the server badly
thanks
Posted: Fri Feb 03, 2006 9:20 am
by normis
make allowed IP list, block everything else, make firewall rule that allows only like 20 connections from each IP.
Posted: Fri Feb 03, 2006 9:33 am
by Hellbound
thanks for the fast reply
any firewall rule sample please?
Posted: Fri Feb 03, 2006 9:36 am
by normis
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=10,32 action=drop
this will limit each IP to 10 connections
there are some other examples
Posted: Fri Feb 03, 2006 6:01 pm
by n5ltc
In general, is it good to limit the number of connections from one IP to a certain amount? I know some http sites create multiple connections at one time. Is there a good number to use? We have had issues with maybe a hundred connections at a time being generated by customers who happen to get infected with something and it affects our overall wireless network operation.
Posted: Fri Feb 03, 2006 6:31 pm
by Hugh Hartman
I use 80 without complaints, but started at 100 connections per/IP.
Posted: Fri Feb 03, 2006 6:57 pm
by n5ltc
Does this work the same in pre 2.9 versions?
Posted: Fri Feb 03, 2006 7:10 pm
by Hugh Hartman
in v 2.8.28 this is the rule I use:
/ip firewall rule forward add protocol=tcp tcp-options=syn-only connection-limit=80 action=drop
Posted: Fri Feb 03, 2006 7:16 pm
by n5ltc
Ok.. Just attempted this on a router. Here is the network topology on this particular network segment:
weeds --> narnia --> core router
On the narnia router, I have 6 ethernet ports. If I apply the rule above, is it not going to restrict to x number of connections the interface that has the backhaul to the weeds site thus slowing that site down when it exceeds the x number of connections set in the rule? I am running PPPoE on weeds and narnia so I can't just restrict the rule to a specific interface that an AP sits on because then the PPPoE interfaces won't get restricted and usually it is those customers that cause us problems. I could add <not weeds backhual> to the rule but my link to the core router is also going to get restricted to x number of connections. Am I reading this all wrong? Is the rule restricting by interface or by IP?
Posted: Fri Feb 03, 2006 7:30 pm
by n5ltc
oh wow! Just did this on another router and BOOM, got someone immediately with about 3 or 4 worms/virii on their system.
Posted: Fri Feb 03, 2006 7:32 pm
by Hugh Hartman
from Eugene in previous threads discussing connection limits:
Every computer can make no more than 80 TCP connections through the router.
I had problems with hundreds of connections,,captured after using this rule and none exceeds the value 80.