Copyright © 2008 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
Shorewall supports several mechanisms for limiting connection rates. These are described in the following sections.
Rates are expressed in terms of a connections per unit
time and a
interval is calculated by dividing the unit of time
by the number of connections allowed in that unit of time
|Connections = 4|
|Unit of time = 1 minute|
|Interval = 1 minute/4 = 15 seconds.|
|Burst = 5|
As each connection arrives,if the burst count is > 0 the burst count is reduced by one and the connection is accepted. After each interval (15 seconds) that passes without a connection arriving, the burst count is incremented by 1 but is not allowed to exceed its initial setting (5).
By default, the aggregate connection rate is limited. If the
specification is preceeded by "
d:", then the rate is limited per SOURCE or per
DESTINATION IP address respectively.
The LIMIT:BURST column in the
/etc/shorewall/policy file applies to TCP
connections that are subject to the policy. The limiting is applied
BEFORE the connection request is passed through the rules generated by
/etc/shorewall/rules. Those connections
in excess of the limit are logged and dropped.
The RATE LIMIT column in the
/etc/shorewall/rules file allows limiting of
ACCEPT, DNAT and Action rules.
The Limit Action is a legacy mechanism that limits connections per source IP. It does not support the notion of a burst size.