Enabling firewall denial of service protection
To configure firewall denial of service protection, perform the steps in the following examples in configuration mode.
Example 1: Limit only inbound max-halfopen TCP sessions
Complete the following steps to limit only the inbound max-halfopen TCP sessions on the dp0p1s1 interface:
- Configure the dp0p1s1 data plane interface and assign FW1 as the inbound firewall:
vyatta@R1# set interfaces dataplane dp0p1s1 address 10.10.1/24 vyatta@R1# set interfaces dataplane dp0p1s1 firewall in FW1
- Configure the dp0p1s2 data plane interface:
vyatta@R1# set interfaces dataplane dp0p1s2 address 10.10.1/24
- Configure FW1 as the firewall for the configuration:
vyatta@R1# set security firewall name FW1 rule 10 action accept
- Configure the firewall rule to be stateful:
vyatta@R1# set security firewall name FW1 rule 10 session
-
Configure the system session limit parameter name as MAX_HALFOPEN_200 and set the limit to a maximum of 200 half-open sessions:
vyatta@R1# set system session limit parameter name MAX_HALFOPEN_200 max-halfopen 200
- Configure PROTOTCP as the system session group name for the dp0p1s1 interface:
vyatta@R1# set system session limit group name PROTOTCP interface dp0p1s1
Note: The session limiter is configured on the dp0p1s1 interface, which means it is applied to both inbound and outbound sessions created on that interface. However, because there is only an inbound firewall on dp0p1s1 the session limiter works only with inbound sessions. - Configure the rule parameters for PROTOTCP:
vyatta@R1# set system session limit group name PROTOTCP rule 10 parameter MAX_HALFOPEN_200
- Configure the rule protocol for PROTOTCP:
vyatta@R1# set system session limit group name PROTOTCP rule 10 protocol tcp
-
Save the configuration:
vyatta@R1# commit
-
Display the configured firewall DoS protection:
vyatta@R1# show session limit parameter MAX_HALFOPEN_200 Session limit parameter "MAX_HALFOPEN_200": Sessions allowed 200 Sessions blocked 100 Current session counts (estab/half-open/terminating) [0:200:0] Max session counts (estab/half-open/terminating) [0:200:0] Time since last session created 23.0s Sessions per sec avg (1sec/1min/5mins) [0:0:0] Max sessions per sec avg (1sec/1min/5mins) [0:0:0] Time since max sessions per sec (1sec/1min/5mins) [never:never:never] Time since last session blocked 23.0s Max sessions blocked per sec avg (1sec/1min/5mins) [0:0:0] Features max-halfopen Max half-open sessions Maximum 200 Sessions blocked 100 Session limit group "PROTOTCP": Active on (dp0p1s1) rule parameter proto allowed blocked ---- --------- ----- ------- ------- 10 MAX_HALFOPEN_200 tcp 200 100 condition - proto tcp
Example 2: Rate-limit sessions for different types of protocols while maintaining separate counts for each protocol
Complete the following steps to rate-limit TCP, UDP, and ICMP sessions with a single rate-limit parameter, while maintaining separate counts for each protocol.
- Configure the dp0p1s1 data plane interface and assign FW1 as the inbound firewall:
vyatta@R1# set interfaces dataplane dp0p1s1 address 10.10.1/24 vyatta@R1# set interfaces dataplane dp0p1s1 firewall in FW1
- Configure FW1 as the firewall for the configuration:
vyatta@R1# set security firewall name FW1 rule 10 action accept
- Configure the firewall rule to be stateful:
vyatta@R1# set security firewall name FW1 rule 10 session
-
Configure the system session limit parameter name as PARAM1 and set the rate limit to 4 sessions:
vyatta@R1# set system session limit parameter name PARAM1 rate-limit 4
- Configure GROUP1 as the system session group name for the dp0p1s1 interface:
vyatta@R1# set system session limit group name GROUP1 interface dp0p1s1
- Configure the rule 10 parameters for GROUP1:
vyatta@R1# set system session limit group name GROUP1 rule 10 parameter PARAM1
- Configure the rule protocol to UDP for GROUP1:
vyatta@R1# set system session limit group name GROUP1 rule 10 protocol udp
- Configure the rule 20 parameters for GROUP1:
vyatta@R1# set system session limit group name GROUP1 rule 20 parameter PARAM1
- Configure the rule protocol to TCP for GROUP1:
vyatta@R1# set system session limit group name GROUP1 rule 20 protocol tcp
- Configure the rule 30 parameters for GROUP1:
vyatta@R1# set system session limit group name GROUP1 rule 30 parameter PARAM1
- Configure the rule protocol to ICMP for GROUP1:
vyatta@R1# set system session limit group name GROUP1 rule 30 protocol icmp
-
Save the configuration:
vyatta@R1# commit
-
After sending 100 packets each of UDP, TCP and ICMP (with different ports, source addresses, or both), display the configured firewall DoS protection:
vyatta@R1# show session limit parameter PARAM1 Session limit parameter "PARAM1": Sessions allowed 111 Sessions blocked 189 Current session counts (estab/half-open/terminating) [0:0:0] Max session counts (estab/half-open/terminating) [0:74:0] Time since last session created 1.9m Sessions per sec avg (1sec/1min/5mins) [0:0:0] Max sessions per sec avg (1sec/1min/5mins) [4:0:0] Time since max sessions per sec (1sec/1min/5mins) [1.9m:never:never] Time since last session blocked 1.9m Max sessions blocked per sec avg (1sec/1min/5mins) [7:0:0] Features rate-limit Rate limit Rate sessions/second 4 Max burst 4 Interval (milliseconds) 1000 Sessions blocked 189 Session limit group "GROUP1": Active on (dp0p1s1) rule parameter proto allowed blocked ---- --------- ----- ------- ------- 10 PARAM1 udp 37 63 condition - proto udp 20 PARAM1 tcp 37 63 condition - proto tcp 30 PARAM1 icmp 37 63 condition - proto icmp