.\" Automatically generated by Pandoc 3.1.3
.nh
.\"
.\" Define V font for inline verbatim, using C font in formats
.\" that render this, and otherwise B font.
.ie "\f[CB]x\f[]"x" \{\
. ftr V B
. ftr VI BI
. ftr VB B
. ftr VBI BI
.\}
.el \{\
. ftr V CR
. ftr VI CI
. ftr VB CB
. ftr VBI CBI
.\}
.TH "firehol-protection" "5" "Built 30 Mar 2024" "FireHOL Reference" "3.1.7"
.hy
.SH NAME
.PP
firehol-protection - add extra protections to a definition
.SH SYNOPSIS
.PP
protection [reverse] strong [\f[I]requests/period\f[R]
[\f[I]burst\f[R]]]
.PP
protection [reverse] \f[I]flood-protection-type\f[R]
[\f[I]requests/period\f[R] [\f[I]burst\f[R]]]
.PP
protection [reverse] { bad-packets | \f[I]packet-protection-type\f[R] }
.PP
protection [reverse] connlimit \f[I]connections\f[R] [mask
\f[I]prefix\f[R]]
.PP
protection [reverse] connrate \f[I]rate\f[R] [burst \f[I]amount\f[R]]
[srcmask \f[I]prefix\f[R]] [htable-size \f[I]buckets\f[R]] [htable-max
\f[I]entries\f[R]] [htable-expire \f[I]msec\f[R]] [htable-gcinterval
\f[I]msec\f[R]]
.SH DESCRIPTION
.PP
The \f[V]protection\f[R] subcommand sets protection rules on an
interface or router.
.PP
Flood protections honour the values \f[I]requests/period\f[R] and
\f[I]burst\f[R].
They are used to limit the rate of certain types of traffic.
.PP
The default rate FireHOL uses is 100 operations per second with a burst
of 50.
Run \f[V]iptables -m limit --help\f[R] for more information.
.PP
The protection type \f[V]strong\f[R] will switch on all protections
(both packet and flood protections) except \f[V]all-floods\f[R].
It has aliases \f[V]full\f[R] and \f[V]all\f[R].
.PP
The protection type \f[V]bad-packets\f[R] will switch on all packet
protections but not flood protections.
.PP
You can specify multiple protection types by using multiple
\f[V]protection\f[R] commands or by using a single command and enclosing
the types in quotes.
.RS
.PP
\f[B]Note\f[R]
.PP
On a router, protections are normally set up on inface.
.PP
The \f[V]reverse\f[R] option will set up the protections on outface.
You must use it as the first keyword.
.RE
.SH PACKET PROTECTION TYPES
.TP
bad-packets:
Drops all the bad packets detected by these rules.
.TP
invalid
Drops all incoming invalid packets, as detected INVALID by the
connection tracker.
.RS
.PP
See also FIREHOL_DROP_INVALID in firehol-defaults.conf(5) which allows
setting this function globally.
.RE
.TP
fragments
Drops all packet fragments.
.RS
.PP
This rule will probably never match anything since iptables(8)
reconstructs all packets automatically before the firewall rules are
processed whenever connection tracking is running.
.RE
.TP
new-tcp-w/o-syn
Drops all TCP packets that initiate a socket but have not got the SYN
flag set.
.TP
malformed-xmas
Drops all TCP packets that have all TCP flags set.
.TP
malformed-null
Drops all TCP packets that have all TCP flags unset.
.TP
malformed-bad
Drops all TCP packets that have illegal combinations of TCP flags set.
.SS EXAMPLES
.IP
.nf
\f[C]
protection bad-packets
\f[R]
.fi
.SH FLOOD PROTECTION TYPES
.TP
icmp-floods [\f[I]requests/period\f[R] [\f[I]burst\f[R]]]
Allows only a certain amount of ICMP echo requests.
.TP
syn-floods [\f[I]requests/period\f[R] [\f[I]burst\f[R]]]
Allows only a certain amount of new TCP connections.
.RS
.PP
Be careful to not set the rate too low as the rule is applied to all
connections regardless of their final result (rejected, dropped,
established, etc).
.RE
.TP
all-floods [\f[I]requests/period\f[R] [\f[I]burst\f[R]]]
Allows only a certain amount of new connections.
.RS
.PP
Be careful to not set the rate too low as the rule is applied to all
connections regardless of their final result (rejected, dropped,
established, etc).
.RE
.SS EXAMPLES
.IP
.nf
\f[C]
protection all-floods 90/sec 40
\f[R]
.fi
.SH CLIENT LIMITING TYPES
.PP
These protections were added in v3.
.PP
These protections are used to limit the connections client make, per
\f[V]interface\f[R] or \f[V]router\f[R].
.PP
They support appending \f[V]optional rule parameters\f[R] to limit their
scope to certain clients only.
.TP
protection [reverse] connlimit \f[I]connections\f[R] [mask \f[I]prefix\f[R]]
Allow only a number of connections per client (implemented with
\f[V]connlimit\f[R] with fixed type=\f[I]saddr\f[R]).
.TP
protection [reverse] connrate \f[I]rate\f[R] [burst \f[I]amount\f[R]] [srcmask \f[I]prefix\f[R]] [htable-size \f[I]buckets\f[R]] [htable-max \f[I]entries\f[R]] [htable-expire \f[I]msec\f[R]] [htable-gcinterval \f[I]msec\f[R]]
Allow up to a rate of new connections per client (implemented with
\f[V]hashlimit\f[R] with fixed type=\f[I]upto\f[R] and
mode=\f[I]srcip\f[R]).
.SS EXAMPLES
.PP
Limit the number of concurrent connections to 10 per client
.IP
.nf
\f[C]
protection connlimit 10 mask 32
\f[R]
.fi
.PP
Limit the number of concurrent connections to 100 per client class-C and
also limit it to 5 for 1.2.3.4
.IP
.nf
\f[C]
protection connlimit 100 mask 24
protection connlimit 5 src 1.2.3.4
\f[R]
.fi
.PP
In the last example above, if you want to give client 1.2.3.4 more
connections than all others, you should exclude it from the first
connlimit statement, like this:
.IP
.nf
\f[C]
protection connlimit 100 mask 24 src not 1.2.3.4
protection connlimit 200 src 1.2.3.4
\f[R]
.fi
.PP
Limit all clients to 10 concurrect connections and 60 connections/minute
.IP
.nf
\f[C]
protection connlimit 10
protection connrate 60/minute
\f[R]
.fi
.SH KNOWN ISSUES
.PP
When using multiple types in a single command, if the quotes are
forgotten, incorrect rules will be generated without warning.
.PP
When using multiple types in a single command, FireHOL will silently
ignore any types that come after a group type (\f[V]bad-packets\f[R],
\f[V]strong\f[R] and its aliases).
Only use group types on their own line.
.SH SEE ALSO
.IP \[bu] 2
firehol(1) - FireHOL program
.IP \[bu] 2
firehol.conf(5) - FireHOL configuration
.IP \[bu] 2
firehol-interface(5) - interface definition
.IP \[bu] 2
firehol-router(5) - router definition
.IP \[bu] 2
FireHOL Website (http://firehol.org/)
.IP \[bu] 2
FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf)
.IP \[bu] 2
FireHOL Online Documentation (http://firehol.org/documentation/)
.SH AUTHORS
FireHOL Team.