User manual

Once you have created a packet filtering rule, you may specify rate limiting settings.

These settings are useful for preventing a service from becoming unavailable should

many connection attempts occur in a short period of time (e.g. in the case of a denial of

service (DOS) attack). Packets that exceed the specified limit can be accepted, rejected

or dropped, and can be logged.

Click the Modify icon next to the rule that you wish to rate limit, and click the Rate Limit

tab.

Check Enable Rate Limiting for this rule.

Rate (per second) is the average number of connections that will be matched before

rate limiting applies, specified as connections per second.

Note

If Access Control is enabled, then packets that traverse Access Control are rate limited

separately from other packets, so that potentially twice the specified rate will be matched.

Burst is the maximum instantaneous burst of connections before rate limiting applies,

specified as the number of connections. This is useful for services that require multiple

connections within a short time.

Action if Limited is the action to take when a packet matches the packet filter rule, but

exceeds the rate limit.

None: Perform no action for rate limited packets, and continue matching on

subsequent rules. This is useful if you want rate limited packets to fall through to

a more general rule.

Accept: Allow the rate limited packet.

Reject: Disallow the rate limited packet, but also send an ICMP protocol

unreachable message to the source IP address.

Drop: Silently disallow the rate limited packet.

If Log if Limited is checked, the first packet of any rate limited connection will generate a

log message.

147

Firewall