Copyright © 2008, 2009 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
2023/02/18
Table of Contents
Shorewall supports several mechanisms for limiting connection rates. These are described in the following sections.
Rates are expressed in terms of a connections per unit
time and a burst. An
interval is calculated by dividing the unit of time
by the number of connections allowed in that unit of time
(connections/{sec|min|hour|day|week|month}[:burst]
Example: 4/min:5
| Connections = 4 |
| Unit of time = 1 minute |
| Interval = 1 minute/4 = 15 seconds. |
| Burst = 5 |
As each connection arrives,if the burst count is > 0 the burst count is reduced by one and the connection is accepted. After each interval (15 seconds) that passes without a connection arriving, the burst count is incremented by 1 but is not allowed to exceed its initial setting (5).
By default, the aggregate connection rate is limited. If the
specification is preceded by "s:" or
"d:", then the rate is limited per SOURCE or per
DESTINATION IP address respectively.
The LIMIT column in the /etc/shorewall/policy
file applies to TCP connections that are subject to the policy. The
limiting is applied BEFORE the connection request is passed through the
rules generated by entries in /etc/shorewall/rules.
Those connections in excess of the limit are logged and dropped.
The RATE LIMIT column in the
/etc/shorewall/rules file allows limiting of
ACCEPT, DNAT and Action rules.
The Limit Action is a legacy mechanism that limits connections per source IP. It does not support the notion of a burst size.