Rate limiting via virusprot takes actions too early



  • Hi all,

    I have a rule, where I check number of connections from one IP coming to http(s), set to these limits:
    150 total connections in the state table
    120 new connections in 30 seconds.

    The rule in console output looks like this:

    pass in log quick on lagg0_vlan5 reply-to (lagg0_vlan5 ip.ad.dr.es) inet proto tcp from ! <grp_hosts_wl> to <grp_fw> port = https flags S/SA keep state (source-track rule, max-src-conn 150, max-src-conn-rate 120/30, overload <virusprot> flush global, src.track 30) label "ratelimit"</virusprot></grp_fw></grp_hosts_wl>
    

    The problem is, sometimes there are customers, who are blocked after having like 30 connections in like 10 minutes, which obviously didn't hit this rule at all.
    I have no other rule for rate limiting.

    I was checking if they have reached a total states limit and not at all as well.

    Seems like a bug to me.

    How can I verify, why they are blocked? In the logs I can only see the connections, but not the reason, like "blocked because this and that limit reached".

    Thanks,
    Gabriel



  • Anyone any ideas?