limiting number of connections per IP

[smartcall]

Hello,

I recently found your software and successfully installed it on an ALIX board. I implemented what you describe here: http://www.zeroshell.net/eng/qos/
I made nothing more than the above and plugged the bridge between my internet connection and my servers.

What I would like to implement is limiting number of connections per IP to certain ports. For example to port 80, so when a person with Internet Explorer holds the F5 key, he would not be able to flood the webserver with requests.
And I tried to do this by adding a QoS rule for destination port 80 and entering a limit of 10 per second. This had no effect.
I also tried to make a similar firewall rule again with no effect.

Can anybody assist? I use Zeroshell 1.0.beta10.

[imported_fulvio]

Could you post the rules you added in the QoS classifier?

[smartcall]

Thanks for your reply!

These are the rules:

1 	* 	* 	MARK tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:25 MARK set 0xd 	BULK

2 	* 	* 	MARK all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto sip MARK set 0xb 	VOIP

3 	* 	* 	MARK all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto h323 MARK set 0xb 	VOIP

4 	* 	* 	MARK all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto rtp MARK set 0xb 	VOIP

5 	* 	* 	MARK all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto rtsp MARK set 0xb 	VOIP

6 	* 	* 	MARK all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 LAYER7 l7proto ftp MARK set 0xd 	BULK

7 	* 	* 	MARK tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp spt:22 MARK set 0xc 	SHELL

8 	* 	* 	MARK tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:22 MARK set 0xc 	SHELL

9 	* 	* 	MARK tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80 MARK set 0xd 	BULK

10 	* 	* 	MARK udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:5060 MARK set 0xb 	VOIP

11 	* 	* 	MARK udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpts:10000:20000 MARK set 0xb 	VOIP

12 	* 	* 	MARK all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 ipp2p v0.8.2-pomng --kazaa --gnu --edk --dc --bit MARK set 0xf 

Now there is a similar rule to port 80 in the above, but when I change it to have the limit, I can’t see it in the rule.
I also tried to add similar rule to the firewall to destination port 80 from ETH00 with limit of 10 per second and burst of 5.

Both with no effect.

[imported_fulvio]

You should use the field “Parallel connections per IP” (Firewall and Qos Classifier) to limit the number of parallel connections. This is useful to avoid the DoS attacks.

Regards
Fulvio

[smartcall]

@fulvio wrote:

You should use the field “Parallel connections per IP” (Firewall and Qos Classifier) to limit the number of parallel connections.

Thanks for the tip, but I can’t find that anywhere in the classifier. Maybe my version ‘Release 1.0.beta10’ does not have it?

Regards,
Apostol

[micampo]

Hello friends
As would be done “in parallel limitation,” someone has an example?
thanks

[micampo]

Hello friends
As would be done “in parallel limitation,” someone has an example?
thanks

[micampo]

Hello friends
As would be done “in parallel limitation,” someone has an example?
thanks

[micampo]

Hello friends
As was done “in the limitation in parallel,” somebody has an example?

I HAVE ONLY NAT

thanks

[Author]

Posts