Connection Rate Limiting Tom Eastep 2008 2009 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.
Introduction Shorewall supports several mechanisms for limiting connection rates. These are described in the following sections. Rates are expressed in terms of a connections per unit time and a burst. An interval is calculated by dividing the unit of time by the number of connections allowed in that unit of time (connections/{||||week|month}[:burst] Example: 4/min:5 Connections = 4 Unit of time = 1 minute Interval = 1 minute/4 = 15 seconds. Burst = 5 As each connection arrives,if the burst count is > 0 the burst count is reduced by one and the connection is accepted. After each interval (15 seconds) that passes without a connection arriving, the burst count is incremented by 1 but is not allowed to exceed its initial setting (5). By default, the aggregate connection rate is limited. If the specification is preceded by "" or "", then the rate is limited per SOURCE or per DESTINATION IP address respectively.
Policy Rate Limiting The LIMIT:BURST column in the /etc/shorewall/policy file applies to TCP connections that are subject to the policy. The limiting is applied BEFORE the connection request is passed through the rules generated by entries in /etc/shorewall/rules. Those connections in excess of the limit are logged and dropped.
Rules Rate Limiting The RATE LIMIT column in the /etc/shorewall/rules file allows limiting of ACCEPT, DNAT and Action rules.
Limit Action The Limit Action is a legacy mechanism that limits connections per source IP. It does not support the notion of a burst size.