Transparant firewall advanced Option

Jonb · Mar 20, 2012, 2:39 PM

Hi I am trying to limit connections per source IP address on UDP. I have a pass rule and limiting 2 connections per 5 sec the issue is it is passing everything. I am seeing over 50 connections per sec in pass.

Is this a GUI issue or is it passing?

marcelloc · Mar 20, 2012, 2:46 PM

Did you applied this rule on wan interface?

To limit outbound connections, place the rule on lan/opt.
To limit inbound use wan interface.

After an ip address reach connection limit, it will be included on virsprot table and will not be able to connect for something between 01 and 02 hours.

To change this behavior, you may need to install cron package and reduce schedule time as well expire table -t value

*/60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot

Jonb · Mar 20, 2012, 3:54 PM

It is inbound I am trying but nothing is going into the table. Maybe it is not classifying the traffic as connections but my understanding that each log in the firewall table is a connection.

marcelloc · Mar 20, 2012, 4:04 PM

did you tried to put this rule on top?

Jonb · Mar 20, 2012, 5:02 PM

Yep top rule but no joys very strange. I also have one for the ICMP as well and on testing it did stop pinging but no joy.

inflamer · Mar 22, 2012, 4:29 PM

Did you try clearing the existing states to see if this helps?

Andreas

jimp · Mar 22, 2012, 8:09 PM

UDP and ICMP have no concept of "connections" the way TCP does. If a source sends 50 pings to one destination it's all one "connection". If a UDP client sends 50 packets using the same source and destination ip:ports, it's one connection.

Make sure that your testing accounts for that and you should have better results. (or try tcp). Other than that, seeing a copy of your /tmp/rules.debug might help see what's going on.