hello
i have this simple firewall rule (for cameras);
add action=accept chain=forward dst-limit=1/1m,0,src-address/1m40s dst-port=587 protocol=tcp src-address-list=support-CAM
my assumption is 1 camera can send 1 email per minute
what i am seeing is that there is a lot of email received per minute per cameras
ex; 14:39:01 and another one at 14:39:17 and 14:39:35 and 14:39:56
so 4 emails in 1 minute from the same IP, i am using the rule in a bad way?
A single firewall rule doesn’t give the full picture. If it is not followed by any action=drop one matching on the same traffic, the packets which weren’t accepted by the dst-limit rule will get through anyway.
It is also quite likely that the camera doesn’t set up a new TCP session for each e-mail. It is normal (and highly recommended) that applications do not tear TCP sessions down immediately but keep them open for some time to eventually reuse them.
And last, what do you expect to happen with the e-mails which didn’t fit into your “one per minute” limit? I’d expect the camera to buffer the e-mails it could not send and try to re-send them later, so the result will be just that the e-mails will come later and in shuffled order (and if the buffer overflows, the camera may crash).
i have a drop by default behaviour, i create rules to allow traffics
I have now switched to 1 rule per camera and allow one packet per minute instead of one connection.
so far this seem to be working, which mean you might be right that a connection was kept open and it might be sending multiple email per connection
i don’t think the camera buffer the email since the one being blocked are not received