Its actually great fun to play with these rules. Here is a typical scenario, lets limit web https requests.
Usually, you allow https like this (allow tcp port 443):
Code: Select all
firewall-cmd --permanent --zone="public" --add-port="443/tcp"
To limit a port, we first need to make sure we REMOVE the above allow rule, otherwise it will take precedence and the rich rule won't be reached:
Code: Select all
firewall-cmd --permanent --zone="public" --remove-port="443/tcp"
Now we can get down to business and create a rich rule for the same port:
Code: Select all
firewall-cmd --permanent --zone="public" --add-rich-rule='rule port port="443" protocol="tcp" accept limit value="100/s" log prefix="HttpsLimit" level="warning" limit value="100/s"'
Here is the analysis of the rule:
Code: Select all
# start a rich rule
rule
# open port 443/tcp, of course you can define other things instead of a port number, like a service.
port port="443" protocol="tcp"
# define the limit to 100 connections per second
accept limit value="100/s"
# when something hits the limit, log the connection as a warning
log prefix="HttpsLimit" level="warning" limit value="100/s"
In practice, you can do this for all your open ports (port 80, 993, 995, whatever). You can put some very high limits and see how that goes, then start lowering them to something more strict.
For example, if you know that your server can handle X number of connections per second, you can place a hard limit on your firewall, to make sure your server will never be overwhelmed by too many connections. Of course each open port should have its own limit based on whatever service is behind it.