Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Connection Rate Limit

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 2 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      biggsy
      last edited by

      Hi all,

      I'm trying to limit the maximum connection rate to a web server by entering under Firewall/Rules/Edit:

      Max. src. conn. Rate = 10 (per)
      Max. src. conn. Rates = 60 (seconds)

      Seems to have no effect.  Is something else required to make this work?

      1 Reply Last reply Reply Quote 0
      • B Offline
        biggsy
        last edited by

        Just bumping this because I can't figure out why it doesn't work.

        Does anyone use this feature?  Is it broken?

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          Without seeing the full set of rules and the full settings on that rule it's hard to say what might have happened here.

          That limit would only set a new state count of 10 per 60 seconds on connections from the same host.

          So if you have 50 clients connecting they could each make 10 connections per minute (so 500 total). Depending on how you are testing that could be why it appears to not work as you expect.

          Also if you're testing in a browser, often times they don't close connections so if you are just refreshing the page that may only be 1-2 connections the whole time.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • B Offline
            biggsy
            last edited by

            I've only been testing by watching logs of brute-forcers try to get to my server.  In some cases they're hitting it at 2 or 3 per second for extended periods (BF.txt shows only one minute).

            There is one NAT rule with a corresponding firewall rule where I set limits

            Max.src. conn. Rate = 10 (per)
            Max.src. conn. Rates = 60 (seconds)

            Those are the only two changes to the automatically-generated rule.

            2017-06-07_07-21-19.jpg
            2017-06-07_07-21-19.jpg_thumb
            2017-06-07_07-23-03.jpg
            2017-06-07_07-23-03.jpg_thumb
            BF.txt

            1 Reply Last reply Reply Quote 0
            • jimpJ Offline
              jimp Rebel Alliance Developer Netgate
              last edited by

              And you're certain the traffic is hitting that rule? What does the rule hit counter show in the firewall rule list?

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • B Offline
                biggsy
                last edited by

                Thanks for looking at this jimp.

                Definitely being hit.  (Uptime is a little over a week)

                Here's a screenshot:

                2017-06-08_08-17-49.jpg
                2017-06-08_08-17-49.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • B Offline
                  biggsy
                  last edited by

                  Output from pfctl -s rules and pfctl -s NAT

                  
block drop in quick from <virusprot>to any label "virusprot overload table"

pass in log quick on em1 reply-to (em1 124.190.64.1) inet proto tcp from any to 192.168.11.3 port = http flags S/SA keep state (source-track rule, max-src-states 10, max-src-conn 10, max-src-conn-rate 5/60, overload <virusprot>flush global, tcp.established 3600, src.track 60) label "USER_RULE: NAT HTTP to WebServer"

rdr on em1 inet proto tcp from any to [removed public IP] port = http -> 192.168.11.3</virusprot></virusprot>

                  Anything strange in there?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.