limit connection count on a PER IP basis

kchris · October 22, 2005, 6:19pm

hi!

Is this possible to limit the tcp connection count (or syn packet count) on a per (source) IP basis without creating rules for each IP address?

I think if I create a global limit (per block basis) then one host (with a virus or something that sends many SYN packets) can send most of its packets (within the limit of course) and the other pcs cant (trying to web-browsing or something harmless)..

sergejs · October 23, 2005, 12:09pm

yes,
/ip firewall filter add action=drop connection-limit=5,32 protocol=tcp tcp-flags=syn, chain=forward
this rule limits to 6 conections for each user.

spire2z · October 27, 2005, 12:16pm

Out of interest what version is this rule for?

Also what is the 5,32 ?

Thanks

sergejs · October 27, 2005, 12:23pm

Syntax is for 2.9 version (2.9.6).
5 is allowed connections, 32 is netmask, which set limit to each user in the network.

ConnectionLimit ::= [!]Limit,Netmask
Netmask ::= IpNetmask | Num
IpNetmask ::= A.B.C.D
Num ::= 0..32 (integer number)
Limit ::= 0..4294967295 (integer number)

spire2z · October 27, 2005, 12:40pm

I tried that rule on 2.8 and it won’t accept it. Do you know of a way to do a connection limit per client IP on 2.8?

sergejs · October 27, 2005, 12:42pm

/ip firewall rule forward add protocol=tcp tcp-options=syn-only connection-limit=5 action=drop

spire2z · October 27, 2005, 12:47pm

So do you think for sure with that rule that it would only limit per client address on 2.8? I can’t tell if it’s doing it per client or 1 rule for all?

sergejs · October 27, 2005, 12:59pm

rule limits to 4 connections per each user.
Note, p2p traffic may create much more particular connections.

spire2z · October 27, 2005, 2:54pm

Thanks my man.

r3lax · October 28, 2005, 6:44am

is there a way to limit the bantwith of this connections ?

/ip firewall rule forward add protocol=tcp tcp-options=syn-only connection-limit=5 action=drop

here are 5 undropped connections. and i want setup a bantwith limit for theese 5 undropped connections ie. 64000 bytes.

sergejs · October 28, 2005, 9:51am

Add simple queue with target-address and requested limit.

r3lax · October 28, 2005, 1:06pm

Sorry but i couldent do it right…

i dont want to limit the servers bantwith.

i have a C Class ip for my servers.. 123.123.123.0/24

The interface names are local and remote…

internet users are connecting to my servers from different unknown ip adresses.. i want to limit the bantwidth of this unknown ips.

no body should access faster than 256KBPS.