Hi , i Want to Limit ICMP Packet They Are Input To Router .

I Want 5 ICMP From a Source Be accept And Other Be Deny .

Reply From Router ...
Reply From Router ...
Reply From Router ...
Reply From Router ...
Reply From Router ...
Request Time Out ...
Request Time Out ...
Request Time Out ...
Request Time Out ...
...


I Create A Rule With this Properties , but not Working ...
Ip firewall filter add chain=input action=accept protocol=icmp limit=5,5

Somebody help me Please !

I think you need to add a drop rule for the icmp after that one. Your current rule is accepting ICMPs (5 per 5 seconds average), but there is no rule to drop the rest.

can you test that and give me what rule need ?

thank you

Just make sure it comes after the accept line ...

excuse me ...

i want to permit only 5 reply , and after 5th reply , ICMp Sender give Request Time Out .

i can very easy use a deny rule for ICMP , but i want deny more than 5 Reply ...

Hi , i Want to Limit ICMP Packet They Are Input To Router .

I Want 5 ICMP From a Source Be accept And Other Be Deny .

Reply From Router ...
Reply From Router ...
Reply From Router ...
Reply From Router ...
Reply From Router ...
Request Time Out ...
Request Time Out ...
Request Time Out ...
Request Time Out ...
...


I Create A Rule With this Properties , but not Working ...
Ip firewall filter add chain=input action=accept protocol=icmp limit=5,5

Somebody help me Please !

Mark icmp packet

/ip firewall mangle
add action=mark-connection chain=prerouting comment=ICMP disabled=no new-connection-mark=ICMP-CM passthrough=yes protocol=icmp
add action=mark-connection chain=forward comment="" disabled=no new-connection-mark=ICMP-CM passthrough=yes protocol=icmp
add action=change-dscp chain=prerouting comment="" connection-mark=ICMP-CM disabled=no new-dscp=5 protocol=icmp
add action=change-dscp chain=forward comment="" connection-mark=ICMP-CM disabled=no new-dscp=5 protocol=icmp
add action=mark-packet chain=prerouting comment="" connection-mark=ICMP-CM disabled=no new-packet-mark=PRE-ICMP-PM passthrough=no protocol=icmp
add action=mark-packet chain=forward comment="" connection-mark=ICMP-CM disabled=no new-packet-mark=POST-ICMP-PM passthrough=no protocol=icmp

Mark Connection and bypass ICMP
/ip firewall mangle
add action=mark-connection chain=prerouting comment=C.ALL-CN disabled=no new-connection-mark=ALL-CN-PRE passthrough=yes protocol=!icmp src-address="your private network"
add action=mark-connection chain=forward comment="" disabled=no dst-address="your private network" new-connection-mark=ALL-CN-POST passthrough=yes protocol=!icmp
add action=mark-packet chain=prerouting comment=C.ALL-P connection-mark=ALL-CN-PRE disabled=no new-packet-mark=C.ALL-PRE passthrough=yes src-address="your private network"
add action=mark-packet chain=forward comment="" connection-mark=ALL-CN-POST disabled=no dst-address="your private network" new-packet-mark=C.ALL-POST passthrough=yes
with the correct settings in Mangel & queue should have good results



nb: from my experience to use simple queues make the ping delay is large and very bad for online gaming performance
try using the queue trees if you have lots of clients ( pcq kind is good to try)


good luck !

Sorry to bring this old topic
But
Can we protect the router from ICMP_DOS_ATTACK by this above commands ?
also Can the same idea be applied to HTTP_DOS_ATTACK?

If possible
Do you, gentlemen, kindly inform us of the way?

best regards

ICMP is a protocol that is needed in core routing.
You should not spend cpu resources on firewall rules for that....


ip settings set icmp-rate-limit=10

Or what ever limit is valid in your env.