>/ip firewall rule forward
>add dst-port=28800 protocol=udp limit-count=100 limit-time=60 action=accept
>add dst-port=28800 protocol=udp action=drop

Here is what the above rule says (in English):
Accept up to 100 packets during any one 60 second period that are destined for port 28800 and are udp.

The second rule says:
Drop all udp packets destined for port 28800.

When building a firewall, you should be aware that each "rule" is read from top to bottom.

Each rule has 2 parts:
1. the "match"
2. the "action"

The "match" portion of the rules (both of them have the same matcher) are 2 things: udp and port 28800. What this means is this...if the firewall sees a packet that matches both of the parameters, then that packet will be subjected to the "action" portion of the rule. RouterOS provides for an additional "matcher" with the limit-* options. This portion of the "match" is based on a count of how many packets have matched during some configured amount of time. In the above example, that is 100 packets in 60 seconds. If the packet being looked at is number 100 during the previous 60 seconds, then the packet will match and the action will be applied. If the packet is number 101 (or more) during the preceeding 60 seconds, the packet will NOT match, the rule's action will not be applied, and the packet will be compared against the next rule's match parameters. In the above example, this would cause the packet to be dropped.

If you use winbox, the first tab when you add a new rule (the "General" tab) and the second tab ("advanced") constitute the parameters for a "match". These fields all tell the firewall what to look for before performing the action on the "action" tab.

One thing to note about these match parameters is that if you leave the default entry in winbox (or don't set them specifically in the CLI), then that parameter is unused in determining whether the packet will match when the firewall "looks" at a packet. For example, the default src-address (source address in the IP header of
the packet) is 0.0.0.0/0, which means "any packet". This is the answer to your first question:

>will this limit that port to 100 connections total for all users,
>or per user?

The rules above, since they do not specify a src-address or dst-address, will not look at the IP found in the packet to determine if it matches. Therefore, it will apply the limits to all users (combined).

The explanation above, also, addresses (indirectly) your second question:


>And what would you change to make it not apply to individual ports,
>but users, such as limiting all connections regardless of port
>number to xx number of combined connections per IP number?


Here are a couple of examples that will clarify a couple of things.

Consider the following few rules:

/ip firewall rule forward
1. add dst-address=10.0.0.0/24 action=drop
2. add src-address=10.0.0.1/32 action=accept
3. add src-address=10.0.1.1/32 protocol=tcp port=22 action=accept
4. add src-address=10.0.1.1/32 protocol=udp port=53 action=accept
5. add src-address=10.0.1.1/32 action=drop
6. add dst-address=10.0.1.2/32 action=drop

NOTE: THE ABOVE RULES WILL BREAK YOUR INTERNET TRAFFIC IF YOU PASTE THEM INTO YOUR ROUTER. THEY ARE JUST FOR EXPLANATORY PURPOSES.

(Sorry for the caps, but I wanted to be very clear..)

Let's look at a few packets coming through a router with the above 6 rules. I have numbered each line above for easy reference, but they will not work as is, if you tried to paste them into a router.

The first packet we will look at has a source address of 10.0.0.1 and destination address of 10.0.1.2. Looking at our rules, we see that the first one will match on any packet with a destination address of 10.0.0.1-10.0.0.254. This does NOT match our packet, since it's destination is 10.0.1.2. The second rule will match any
packet with a source address of 10.0.0.1/32, which DOES match our packet. The action for rule 2 is to "accept", so that packet "passes" our filter and further processing of firewall rules is halted. In other words, no other rules are even compared against the packet. That means that the drop rule (number 6) which would have matched, has no effect on this packet.

Now for a packet with source of 10.0.0.1 and destination of 10.0.0.10: The first rule is a match, and the packet is dropped. Again, it does not matter that the source of this packet has an "accept" action in the second rule, because that rule (and all the
ones below) are not even processed, since the first one is a drop.

Let's take just 2 more examples. First, source IP of 10.0.1.1, attempting to connect via ssh to 10.20.102.1. Rule 3 will match here (ssh is tcp port 22). The following rules will not be consulted, since the match says "accept".

Finally, an http request (tcp port 80) from 10.0.1.1. That will not match until it hits rule 5, where it will be dropped. You should be able to follow that packet through the rules and see it's fate...:-)

Hope this has been helpful. It is not complete by any means. This article only barely covers the basics concerning the building of a firewall. It should provide a straight forward answer to some of the questions you may have concerning RouterOS and firewalling.



موضوعات مشابه: