Postado originalmente por
bauer
Olá
Acho indispensável. Tenho este controle e tem funcionado perfeitamente. Além de limitar as conexões simultâneas por cliente, faço um bloqueio UDP liberando apenas a porta 53 para pesquisas de DNS. Segue abaixo as regras:
## IP >> Firewall >> Mangle
;;; Marcando Pacotes Sem Limite Conexao
chain=forward src-address=192.168.10.0/24 protocol=tcp dst-port=21 action=mark-packet new-packet-mark=semlimite passthrough=yes
chain=forward src-address=192.168.10.0/24 protocol=tcp dst-port=25 action=mark-packet new-packet-mark=semlimite passthrough=yes
chain=forward src-address=192.168.10.0/24 protocol=tcp dst-port=80 action=mark-packet new-packet-mark=semlimite passthrough=yes
chain=forward src-address=192.168.10.0/24 protocol=tcp dst-port=110 action=mark-packet new-packet-mark=semlimite passthrough=yes
chain=forward src-address=192.168.10.0/24 protocol=tcp dst-port=443 action=mark-packet new-packet-mark=semlimite passthrough=yes
chain=forward src-address=192.168.10.0/24 protocol=tcp dst-port=1863 action=mark-packet new-packet-mark=semlimite passthrough=yes
## IP >> Firewall >> Filter
;;; Limitando a 10 conexoes simulaneas por cliente
chain=forward src-address=192.168.10.0/24 protocol=tcp tcp-flags=syn packet-mark=!semlimite connection-limit=10,32 action=drop
;;; Dropa UDP <> 53
chain=forward src-address=192.168.10.0/24 protocol=udp dst-port=!53 action=drop
Att.