Packet limits in firewalls

vertixy · August 15, 2010, 6:26am

Hi, I am a bit confused with the following concepts and hope someone could clarify this for me.

According to the wiki at: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties
The “limit” function “Matches packets if given pps limit is exceeded.”
I suppose this means that the rule will ignore packets that are under the limit.

However, according to various other examples in the wiki, people use this limit rule to allow certain flow of packets to be accepted and add another rule which drops all remaining packets.
An example can be found here: http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router in the ICMP chain section
Also here: http://wiki.mikrotik.com/wiki/DoS_attack_protection in the SYN filtering section

Taking a section from the second example:

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect comment=“SYN Flood protect” disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new action=accept comment=“” disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new action=drop comment=“” disabled=no

The first rule jumps to the SYN-Protect chain which makes sense to me but the second rule “accepts” connections with a limit of 400,5 really confuses me. From my understanding, the rule accepts packet that exceeds this limit. Then the third rule drops all remaining packets. Therefore wouldn’t the end result be that all packets under the limit 400,5 be dropped? Isn’t this the opposite of what we wanted?

Could someone comment on this?

fewi · August 16, 2010, 7:05pm

The documentation is off. ‘limit’ matches for packets under the rate limit. See below for a demo:

[admin@MikroTik] /ip firewall filter> pri where chain=input
Flags: X - disabled, I - invalid, D - dynamic
[...]
 5   chain=input action=accept protocol=icmp limit=20,20
 7   chain=input action=drop
[...]

Four pings to it (IP obfuscated):

[user@test ~]# ping -c 4 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=2.16 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=60 time=1.75 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=60 time=2.20 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=60 time=2.17 ms
--- 1.1.1.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 1.756/2.075/2.208/0.190 ms

Look at stats - the four ICMP packets matched the rule with ‘limit’:

[admin@MikroTik] /ip firewall filter> pri stats
Flags: X - disabled, I - invalid, D - dynamic
 #   CHAIN              ACTION                  BYTES           PACKETS
[...]
 5   input              accept                  336             4
 7   input              drop                    105             1
[...]

normis · August 17, 2010, 5:44am

Sorry about that, we corrected the manual

vertixy · August 17, 2010, 7:10am

Thanks for clearing things up.

However, I suppose the “dst-limit” needs to be corrected as well?
How about the connection-limit?
Currently it says it “Restrict connection limit per address or address block”. Would there be a difference if the packets are set to be dropped vs accepted?