Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
ServerIron ADX Security Guide 33
53-1002440-03
Maximum concurrent connection limit per client
1
ServerIronADX(config)# client-connection-limit max-conn1
ServerIronADX(config-client-max-conn)# max-conn default 10
In this example, all clients not specified in any max connection group will have a maximum of 10
connections.
Syntax: [no] max-conn [<client-ip-address> <client-subnet-mask> default <max-connections>
Enter a default maximum number of connections for <max-connections>
Excluding clients from maximum connection policy
If you want certain clients to be excluded from any maximum connection policies, enter a command
such as the following.
ServerIronADX(config)# client-connection-limit max-conn1
ServerIronADX(config-client-trl)# max-conn 100.1.4.0 255.255.255.0 exclude
In this example, clients in the 100.1.4.0 subnet will be excluded for any maximum connection rules.
Syntax: [no] max-conn [<client-ip-address> <client-subnet-mask> exclude
Displaying the maximum number of connections for clients that are currently connected
To show the maximum number connection policy for a client that is currently connected, enter
command such as the following on the barrel processor (BP) console.
ServerIronADX1# show conn pass1 0
Max Count: 2500 Total Count: 55
IP address Mask config hit denied
0.0.0.0 0.0.0.0 10 0 0
120.20.1.0 255.255.255.192 12 0 0
120.20.1.16 255.255.255.240 15 0 0
120.20.1.21 255.255.255.255 exclude 0 0
120.20.1.23 255.255.255.255 exclude 0 0
120.20.1.24 255.255.255.255 15 20 5
Current connections:
VIP 20.20.1.6: 15
120.20.1.25 255.255.255.255 exclude 0 0
120.20.1.27 255.255.255.255 exclude 20 0
Current connections:
VIP 20.20.1.6: 20
120.20.1.29 255.255.255.255 exclude 0 0
120.20.1.30 255.255.255.255 15 20 5
Current connections:
VIP 20.20.1.6: 15
120.20.1.33 255.255.255.255 exclude 20 0
ServerIronADX1#
Syntax: show connection-limit <name> <offset>
Enter the name of the max connection policy for <name>.
Enter the starting entry for <offset>
Binding the policy to a VIP
After creating a maximum connection policy, bind it to a VIP by entering commands such as the
following.
ServerIronADX(config)#server virtual-name-or-ip virt-2
ServerIronADX(config-vs-virt-2)#client-max-conn-limit max-conn1