[Help] How can I limit each user connection number ?

EngAMoktar · July 7, 2009, 7:44am

I wanna limit each user connection limit , let’s say 6 connection for each user ?

mrz · July 7, 2009, 8:15am

/ip firewall add connection-limit=6/32

EngAMoktar · July 7, 2009, 9:06am

Thanks for quick response,
what is the normal number of connections ?
cause some clients of my own have a new virus, that makes too much connections .
so, my question , when can i say , this number is too much , this user maybe infected, or running a torrent ?

i mean i’ll have two cases :
normal or too much

mrz · July 7, 2009, 9:35am

If torrents are used there may hundreds of connections.
Some websites uses multiple connections too. You can set 100 connections per user to be on a safe side.

EngAMoktar · July 7, 2009, 9:38am

Thanks again, that was helpful enough.

adilazzubaidi · July 8, 2009, 6:16am

hi mrz
how can i know the number of connections were used by all users plz?

janisk · July 8, 2009, 6:47am

in place of /32 you set another mask, for example, if your network is 192.168.0.0/24, you can set /24 and all users will be limited to some certain number of connections

jwcn · February 2, 2010, 8:23pm

So with a /24 does that limit each IP to 100 connections or the entire subnet to 100 connections?

Chupaka · February 2, 2010, 9:31pm

entire subnet

rmichael · February 2, 2010, 9:41pm

Its worth to note that connection limit will apply to up and down traffic (subnet mask applies to the src address) if src and dst is not specified.

EDIT:Plus it can be unreliable as it counts unreplied connections in the total…

janisk · February 4, 2010, 6:55am

if you see connection in connection-tracking it is counted in and limited. IMO, very reliable.

rmichael · February 4, 2010, 8:21am

I was merely saying that counting unreplied connections can lead to trouble -namely DoS.

janisk · February 4, 2010, 11:06am

you either worry about DoS and configure accordingly or don’t. For DoS we have action=tarpit and different other methods. we can do syn filtering etc. limit incoming connections, not just outgoing etc.

rmichael · February 4, 2010, 9:52pm

Hi

In my situation I get around 20 unreplied connections per hour and I’m not being attacked. I ended up increasing the limit to accomodate unreplied connections and run script every hour that removes unreplied connections older than 1 hour. If there was a way to only count assured connections only it would help I think.

thank you.

Chupaka · February 5, 2010, 12:22am

unreplied? you mean, ‘syn sent’?.. their default timeout is 5 seconds - you shouldn’t worry about it =)

rmichael · February 5, 2010, 6:03am

EDIT: I did some googling and this might be a bug in conntrack. Does ROS use 2.4 linux kernel?

Like this:

Chupaka · February 5, 2010, 12:43pm

RoS uses 2.6 kernel…

anyway, MT, any comments about what is ‘reply’? =)

jwcn · February 6, 2010, 9:14pm

So is there a way to effectively limit each IP address to say 100 tcp connections without a separate rule for EVERY individual IP address?

rmichael · February 6, 2010, 9:43pm

If you don’t have Unreplied connection issue as I have than this will do:

add action=drop chain=forward comment=“” connection-limit=100,32 disabled=no
dst-address-list=TO protocol=tcp src-address-list=FROM

where FROM is the subnet(s) of users you want to limit

Aparently ROS mainains a counter for each group (defined by mask, 32bit = individual IP) defined by mask…

normis · February 8, 2010, 2:18pm

Regarding the “Unreplied” question and the picture. We have our own connection timeout calculation formula for the best performance, it’s optimized for best usage of resources in different ways, so there is no problem or bug anywhere.