Connection Rate LimitingTomEastep20082009Thomas M. EastepPermission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License.IntroductionShorewall supports several mechanisms for limiting connection rates.
These are described in the following sections.Rates are expressed in terms of a connections per unit
time and a burst. An
interval is calculated by dividing the unit of time
by the number of connections allowed in that unit of time
(connections/{||||week|month}[:burst]Example: 4/min:5Connections = 4Unit of time = 1 minuteInterval = 1 minute/4 = 15 seconds.Burst = 5As each connection arrives,if the burst count is > 0 the
burst count is reduced by one and the connection is
accepted. After each interval (15 seconds) that passes without a
connection arriving, the burst count is incremented
by 1 but is not allowed to exceed its initial setting (5).By default, the aggregate connection rate is limited. If the
specification is preceeded by "" or
"", then the rate is limited per SOURCE or per
DESTINATION IP address respectively.Policy Rate LimitingThe LIMIT:BURST column in the
/etc/shorewall/policy file applies to TCP
connections that are subject to the policy. The limiting is applied
BEFORE the connection request is passed through the rules generated by
entries in /etc/shorewall/rules. Those connections
in excess of the limit are logged and dropped.Rules Rate LimitingThe RATE LIMIT column in the
/etc/shorewall/rules file allows limiting of
ACCEPT, DNAT and Action rules.Limit ActionThe Limit Action is a
legacy mechanism that limits connections per source IP. It does not
support the notion of a burst size.