Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Enabling firewall denial of service protection

To configure firewall denial of service protection, perform the steps in the following examples in configuration mode.

Note: The vRouter software automatically calculates the rate-limit interval from the rate and burst values as follows: interval (milliseconds) = (burst*1000)/rate.

Example 1: Limit only inbound max-halfopen TCP sessions

Complete the following steps to limit only the inbound max-halfopen TCP sessions on the dp0p1s1 interface:

  1. Configure the dp0p1s1 data plane interface and assign FW1 as the inbound firewall:
    
    vyatta@R1# set interfaces dataplane dp0p1s1 address 10.10.1/24
    vyatta@R1# set interfaces dataplane dp0p1s1 firewall in FW1
    
  2. Configure the dp0p1s2 data plane interface:
    
    vyatta@R1# set interfaces dataplane dp0p1s2 address 10.10.1/24
    
  3. Configure FW1 as the firewall for the configuration:
    
    vyatta@R1# set security firewall name FW1 rule 10 action accept 
    
  4. Configure the firewall rule to be stateful:
    
    vyatta@R1# set security firewall name FW1 rule 10 session
    
  5. Configure the system session limit parameter name as MAX_HALFOPEN_200 and set the limit to a maximum of 200 half-open sessions:

    
    vyatta@R1# set system session limit parameter name MAX_HALFOPEN_200 max-halfopen 200
    
  6. Configure PROTOTCP as the system session group name for the dp0p1s1 interface:
    
    vyatta@R1# set system session limit group name PROTOTCP interface dp0p1s1
    
    Note: The session limiter is configured on the dp0p1s1 interface, which means it is applied to both inbound and outbound sessions created on that interface. However, because there is only an inbound firewall on dp0p1s1 the session limiter works only with inbound sessions.
  7. Configure the rule parameters for PROTOTCP:
    
    vyatta@R1# set system session limit group name PROTOTCP rule 10 parameter MAX_HALFOPEN_200
    
  8. Configure the rule protocol for PROTOTCP:
    
    vyatta@R1# set system session limit group name PROTOTCP rule 10 protocol tcp
    
  9. Save the configuration:

    
    vyatta@R1# commit
    
  10. Display the configured firewall DoS protection:

    
    vyatta@R1# show session limit parameter MAX_HALFOPEN_200
    Session limit parameter "MAX_HALFOPEN_200":
        Sessions allowed                                                               200
        Sessions blocked                                                               100
        Current session counts (estab/half-open/terminating)                     [0:200:0]
        Max session counts (estab/half-open/terminating)                         [0:200:0]
        Time since last session created                                              23.0s
        Sessions per sec avg (1sec/1min/5mins)                                     [0:0:0]
        Max sessions per sec avg (1sec/1min/5mins)                                 [0:0:0]
        Time since max sessions per sec (1sec/1min/5mins)              [never:never:never]
        Time since last session blocked                                              23.0s
        Max sessions blocked per sec avg (1sec/1min/5mins)                         [0:0:0]
        Features                                                              max-halfopen
        Max half-open sessions                                
            Maximum                                                                    200
            Sessions blocked                                                           100
    
    Session limit group "PROTOTCP":
        Active on (dp0p1s1)
        rule    parameter            proto           allowed         blocked        
        ----    ---------            -----           -------         -------        
        10      MAX_HALFOPEN_200     tcp             200             100            
        condition - proto tcp 
    

Example 2: Rate-limit sessions for different types of protocols while maintaining separate counts for each protocol

Complete the following steps to rate-limit TCP, UDP, and ICMP sessions with a single rate-limit parameter, while maintaining separate counts for each protocol.

  1. Configure the dp0p1s1 data plane interface and assign FW1 as the inbound firewall:
    
    vyatta@R1# set interfaces dataplane dp0p1s1 address 10.10.1/24
    vyatta@R1# set interfaces dataplane dp0p1s1 firewall in FW1
    
  2. Configure FW1 as the firewall for the configuration:
    
    vyatta@R1# set security firewall name FW1 rule 10 action accept 
    
  3. Configure the firewall rule to be stateful:
    
    vyatta@R1# set security firewall name FW1 rule 10 session
    
  4. Configure the system session limit parameter name as PARAM1 and set the rate limit to 4 sessions:

    
    vyatta@R1# set system session limit parameter name PARAM1 rate-limit 4
    
  5. Configure GROUP1 as the system session group name for the dp0p1s1 interface:
    
    vyatta@R1# set system session limit group name GROUP1 interface dp0p1s1
    
  6. Configure the rule 10 parameters for GROUP1:
    
    vyatta@R1# set system session limit group name GROUP1 rule 10 parameter PARAM1
    
  7. Configure the rule protocol to UDP for GROUP1:
    
    vyatta@R1# set system session limit group name GROUP1 rule 10 protocol udp
    
  8. Configure the rule 20 parameters for GROUP1:
    
    vyatta@R1# set system session limit group name GROUP1 rule 20 parameter PARAM1
    
  9. Configure the rule protocol to TCP for GROUP1:
    
    vyatta@R1# set system session limit group name GROUP1 rule 20 protocol tcp
    
  10. Configure the rule 30 parameters for GROUP1:
    
    vyatta@R1# set system session limit group name GROUP1 rule 30 parameter PARAM1
    
  11. Configure the rule protocol to ICMP for GROUP1:
    
    vyatta@R1# set system session limit group name GROUP1 rule 30 protocol icmp
    
  12. Save the configuration:

    
    vyatta@R1# commit
    
  13. After sending 100 packets each of UDP, TCP and ICMP (with different ports, source addresses, or both), display the configured firewall DoS protection:

    
    vyatta@R1# show session limit parameter PARAM1
    Session limit parameter "PARAM1":
        Sessions allowed                                                               111
        Sessions blocked                                                               189
        Current session counts (estab/half-open/terminating)                       [0:0:0]
        Max session counts (estab/half-open/terminating)                          [0:74:0]
        Time since last session created                                               1.9m
        Sessions per sec avg (1sec/1min/5mins)                                     [0:0:0]
        Max sessions per sec avg (1sec/1min/5mins)                                 [4:0:0]
        Time since max sessions per sec (1sec/1min/5mins)               [1.9m:never:never]
        Time since last session blocked                                               1.9m
        Max sessions blocked per sec avg (1sec/1min/5mins)                         [7:0:0]
        Features                                                                rate-limit
        Rate limit                                            
            Rate sessions/second                                                         4
            Max burst                                                                    4
            Interval (milliseconds)                                                   1000
            Sessions blocked                                                           189
    
    Session limit group "GROUP1":
        Active on (dp0p1s1)
        rule    parameter  proto           allowed         blocked        
        ----    ---------  -----           -------         -------        
        10      PARAM1     udp             37              63             
        condition - proto udp 
    
        20      PARAM1     tcp             37              63             
        condition - proto tcp 
    
        30      PARAM1     icmp            37              63             
        condition - proto icmp