Firewalld limit connection

Support for security such as Firewalls and securing linux
Post Reply
riop
Posts: 5
Joined: 2020/04/17 15:48:24

Firewalld limit connection

Post by riop » 2020/04/17 16:04:40

I have a vps with 3 open network ports in TCP : 50010 connection login 50020 connection game 65146 for bdd in my vps i have a game. i have firewalld drop all except 3 ports TCP. I have protection ddos voxility gaming I receive attacks ddos quite substantial. I have to wait 5 minutes for voxility to attenuate the attack I can still play but with a high pingthis disconnected some players. so I would like to know if I can limit the connections per minute for the 3 network ports with firewalld. I would like a solution to improve my security thx

User avatar
jlehtone
Posts: 3189
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld limit connection

Post by jlehtone » 2020/04/20 20:03:34


User avatar
KernelOops
Posts: 395
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Firewalld limit connection

Post by KernelOops » 2020/04/21 07:55:54

Its actually great fun to play with these rules. Here is a typical scenario, lets limit web https requests.

Usually, you allow https like this (allow tcp port 443):

Code: Select all

firewall-cmd --permanent --zone="public" --add-port="443/tcp"
To limit a port, we first need to make sure we REMOVE the above allow rule, otherwise it will take precedence and the rich rule won't be reached:

Code: Select all

firewall-cmd --permanent --zone="public" --remove-port="443/tcp"
Now we can get down to business and create a rich rule for the same port:

Code: Select all

firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="443" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
Here is the analysis of the rule:

Code: Select all

# start a rich rule
rule 

      # open port 443/tcp, of course you can define other things instead of a port number, like a service.
      port port="443" protocol="tcp"
      
      # define the limit to 100 connections per second
      accept limit value="100/s"
      
      # when something hits the limit, log the connection as a warning
      log prefix="HttpsLimit" level="warning" limit value="100/s"

In practice, you can do this for all your open ports (port 80, 993, 995, whatever). You can put some very high limits and see how that goes, then start lowering them to something more strict.

For example, if you know that your server can handle X number of connections per second, you can place a hard limit on your firewall, to make sure your server will never be overwhelmed by too many connections. Of course each open port should have its own limit based on whatever service is behind it.
--
I love my computer - all my friends live there.
--

riop
Posts: 5
Joined: 2020/04/17 15:48:24

Re: Firewalld limit connection

Post by riop » 2020/04/21 12:16:57

thank you I was missing this option! you are awesome thx ! i have limit port game and login to 7/s is great no problem and for database I have no idea my site communicates with this one my game too I was thinking of putting 20/s ? I would also like to know if a person is drop how long it will be and in which file I will find the logs thank you I limit the connections in seconds. best is per minute or per second?

Post Reply

Return to “CentOS 7 - Security Support”