Connection Rate LimitingTomEastep20082009Thomas M. EastepPermission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License.IntroductionShorewall supports several mechanisms for limiting connection rates.
These are described in the following sections.Rates are expressed in terms of a connections per unit
time and a burst. An
interval is calculated by dividing the unit of time
by the number of connections allowed in that unit of time
(connections/{||||week|month}[:burst]Example: 4/min:5Connections = 4Unit of time = 1 minuteInterval = 1 minute/4 = 15 seconds.Burst = 5As each connection arrives,if the burst count is > 0 the
burst count is reduced by one and the connection is
accepted. After each interval (15 seconds) that passes without a
connection arriving, the burst count is incremented
by 1 but is not allowed to exceed its initial setting (5).By default, the aggregate connection rate is limited. If the
specification is preceded by "" or
"", then the rate is limited per SOURCE or per
DESTINATION IP address respectively.Policy Rate LimitingThe LIMIT column in the /etc/shorewall/policy
file applies to TCP connections that are subject to the policy. The
limiting is applied BEFORE the connection request is passed through the
rules generated by entries in /etc/shorewall/rules.
Those connections in excess of the limit are logged and dropped.Rules Rate LimitingThe RATE LIMIT column in the
/etc/shorewall/rules file allows limiting of
ACCEPT, DNAT and Action rules.Limit ActionThe Limit Action is a
legacy mechanism that limits connections per source IP. It does not
support the notion of a burst size.