Since IPFire 2.15 there is a new firewall GUI. It comes with so many new features and makes so many things easier. With the upcoming Core Update, it has been extended and adds two very interesting features that I would like to spotlight in this post.
Limit concurrent connections
For each firewall rule you will be able to define how many concurrent connections are allowed per IP address. A simple and in fact extremely useful application for that would be to apply this to a port forwarding rule to your mail server. Big email providers like GMail or email servers that use postfix will never open more than a couple of simultaneous connections to deliver emails to you. Spammers actually open lots of connections at the same time and will try to flood your email server with unwanted emails – or if they cannot deliver them, will at least slow down your server.
So this feature helps to protect your mail server – and of course every other server behind the firewall – from Denial-of-Service (DoS) attacks in that way, that the bad packets don’t even get anywhere near your server and are instead thrown away directly at the firewall.
Rate-limit new connections
Limiting the number of concurrent connections per IP address is just one way of protecting your services from DoS attacks. The other new feature is to rate-limit new connections. So there is only a certain number of new connections that are forwarded from the Internet to your web server for example. If there is someone sending thousands of requests to your web server just to render it unresponsive, you are now able to block him away with this feature. Your web server will only get as many requests as it can cope with and on top: this feature does even work for distributed DoS attacks.
These features both enable IPFire to mitigate smaller Denial-of-Service attacks and help you to protect your servers from threats outside or simple configuration errors that may make your servers very slow. I am personally very happy to add these very simple but at the same time very helpful features.