Copyright © 2008, 2009 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
2016/02/16
Table of Contents
Shorewall supports several mechanisms for limiting connection rates. These are described in the following sections.
Rates are expressed in terms of a connections per unit
time and a burst
. An
interval is calculated by dividing the unit of time
by the number of connections allowed in that unit of time
(connections
/{sec
|min
|hour
|day
|week|month}[:burst
]
Example: 4/min:5
Connections = 4 |
Unit of time = 1 minute |
Interval = 1 minute/4 = 15 seconds. |
Burst = 5 |
As each connection arrives,if the burst count is > 0 the burst count is reduced by one and the connection is accepted. After each interval (15 seconds) that passes without a connection arriving, the burst count is incremented by 1 but is not allowed to exceed its initial setting (5).
By default, the aggregate connection rate is limited. If the
specification is preceded by "s:
" or
"d:
", then the rate is limited per SOURCE or per
DESTINATION IP address respectively.
The LIMIT:BURST column in the
/etc/shorewall/policy
file applies to TCP
connections that are subject to the policy. The limiting is applied
BEFORE the connection request is passed through the rules generated by
entries in /etc/shorewall/rules
. Those connections
in excess of the limit are logged and dropped.
The RATE LIMIT column in the
/etc/shorewall/rules
file allows limiting of
ACCEPT, DNAT and Action rules.
The Limit Action is a legacy mechanism that limits connections per source IP. It does not support the notion of a burst size.