I created a raw firewall rule to try and capture ips on our network that are receiving a high rate of packets.
I use dst. limit with rate of 10000/sec, 0 burst, limit by dst address and expire 60s.
The result of this seems to be that every ip gets logged once my rate goes below some threshold.
So at 10000/sec the high-pps-ips address list just starts filling up with all our active ips it seems.
At 10200/sec nothing gets inserted into the list.
I’m wondering if I’m missing something or if this is just not working like it should be. Using 6.44.6 btw.
Anyone have any ideas or have something similar working on their firewall?