Community discussions

MikroTik App
 
ch3mik1
just joined
Topic Author
Posts: 3
Joined: Tue Dec 07, 2010 10:27 am

traffic blocking rules

Sun Nov 27, 2022 5:48 pm

Hello, I want to make firewall rule (or set of rules) which will work as follow:
accepts 1 packet/sec from src address to one specific dst address
but if scr address send packet to another dst address, rules let pass only 1 packet/min

Is it possible?

Thank you
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: traffic blocking rules

Sun Nov 27, 2022 8:28 pm

Yes. Look at limit and dst-limit matchers. It is not clear from your OP whether you have in mind a single source address or whether you want to apply the limits to each of many source addresses individually; if the latter, you need dst-limit, which maintains separate counters per each "target" (and occupies a corresponding amount of memory).

The rules have to be placed to an appropriate position in the firewall in order to do what you want; it is also important whether you want to limit the number of new connections or indeed the number of packets per unit of time even within already established connections. If the latter, you can place the rules before connection tracking, i.e. to table raw:

/ip firewall raw
chain=prerouting dst-address=d.d.d.d dst-limit=1,1,src-address action=accept
chain=prerouting dst-address=d.d.d.d action=drop
chain=prerouting dst-limit=1/1m,1,src-address action=accept
chain=prerouting action=drop

BEWARE - this is a simplified example, so if you use it verbatim, it will filter also access to the router itself, and 1 packet per minute will definitely lock you out!

If you actually want to limit the number of new connections established per unit of time, you have to place the rules to the filter table, where the connection-state labels assigned by the connection tracking module are already available, and use them to handle the initial packets of connections.

Who is online

Users browsing this forum: Ahrefs [Bot], AkosGergely, Bing [Bot], bp0, Google [Bot], GoogleOther [Bot], Marc1963 and 91 guests