limiting number of connections per IP

Home Page Forums Network Management Networking limiting number of connections per IP

This topic contains 7 replies, has 0 voices, and was last updated by  smartcall 7 years, 1 month ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #41268

    smartcall
    Member

    Hello,

    I recently found your software and successfully installed it on an ALIX board. I implemented what you describe here: http://www.zeroshell.net/eng/qos/
    I made nothing more than the above and plugged the bridge between my internet connection and my servers.

    What I would like to implement is limiting number of connections per IP to certain ports. For example to port 80, so when a person with Internet Explorer holds the F5 key, he would not be able to flood the webserver with requests.
    And I tried to do this by adding a QoS rule for destination port 80 and entering a limit of 10 per second. This had no effect.
    I also tried to make a similar firewall rule again with no effect.

    Can anybody assist? I use Zeroshell 1.0.beta10.

    #47092

    imported_fulvio
    Participant

    Could you post the rules you added in the QoS classifier?

    #47093

    smartcall
    Member

    Thanks for your reply!

    These are the rules:

    1 	* 	* 	MARK tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:25 MARK set 0xd 	BULK
    2 * * MARK all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto sip MARK set 0xb VOIP
    3 * * MARK all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto h323 MARK set 0xb VOIP
    4 * * MARK all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto rtp MARK set 0xb VOIP
    5 * * MARK all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto rtsp MARK set 0xb VOIP
    6 * * MARK all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto ftp MARK set 0xd BULK
    7 * * MARK tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp spt:22 MARK set 0xc SHELL
    8 * * MARK tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:22 MARK set 0xc SHELL
    9 * * MARK tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80 MARK set 0xd BULK
    10 * * MARK udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:5060 MARK set 0xb VOIP
    11 * * MARK udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:10000:20000 MARK set 0xb VOIP
    12 * * MARK all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 ipp2p v0.8.2-pomng --kazaa --gnu --edk --dc --bit MARK set 0xf

    Now there is a similar rule to port 80 in the above, but when I change it to have the limit, I can’t see it in the rule.
    I also tried to add similar rule to the firewall to destination port 80 from ETH00 with limit of 10 per second and burst of 5.

    Both with no effect.

    #47094

    imported_fulvio
    Participant

    You should use the field “Parallel connections per IP” (Firewall and Qos Classifier) to limit the number of parallel connections. This is useful to avoid the DoS attacks.

    Regards
    Fulvio

    #47095

    smartcall
    Member

    @fulvio wrote:

    You should use the field “Parallel connections per IP” (Firewall and Qos Classifier) to limit the number of parallel connections.

    Thanks for the tip, but I can’t find that anywhere in the classifier. Maybe my version ‘Release 1.0.beta10’ does not have it?

    Regards,
    Apostol

    #47096

    micampo
    Member

    Hello friends
    As would be done “in parallel limitation,” someone has an example?
    thanks

    #47097

    micampo
    Member

    Hello friends
    As would be done “in parallel limitation,” someone has an example?
    thanks

    #47098

    micampo
    Member

    Hello friends
    As would be done “in parallel limitation,” someone has an example?
    thanks

    #47099

    micampo
    Member

    Hello friends
    As was done “in the limitation in parallel,” somebody has an example?

    I HAVE ONLY NAT

    thanks

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.