Please help.I need example rule for example if src-add sends tcp-syn packet more X packet/sec for X sec or if src X packet/sec reach add to source list.Thanks for future help.
****A single rule is not enough because the
dst-limit
matcher matches on packets which are below the packet-per-unit-of-time limit. So you have to create a custom chain (acting as a subroutine) which will return immediately for packets which do not exceed the packets-per-unit-of-time limit for a given source and destination and store the source address of those exceeding it to the address list before returning to the original chain. In the example, the custom chain itself does not care about the particular destination address and/or port, so it depends on you whether you shall add a
dst-port
list to the last rule, which should be placed where you’ve intended to place your single rule to the
forward
or
input
chain (using the
place-before
parameter). The dst-limit matcher measures the packet rates separately for packets characterized by a combination of properties, see the manual for details and available property sets.
/ip firewall filter
add chain=limiter action=return dst-limit=10/5s,10,src-and-dst-addresses
add chain=limiter action=add-src-to-address-list address-list=syn-rate-exceeded
add chain=limiter action=return
add chain=forward action=jump jump-target=limiter protocol=tcp tcp-flags=syn in-interface=ether1 [dst-port=22,443 place-before=3]
Thnx I will try.