Forum Discussion

Cirrus

Oct 09, 2023

I need an irule to decline/refuse/ an incomming tcp session from a source to a vip (ip address/port)

I need an irule to decline/refuse/ an incomming tcp session from a source to a vip (ip address/port) if that source has aleady "n" number of connections open. I am using Fast layer 4 LTM configuratio...

devops

S_Meulmeester
Oct 10, 2023
I plan to use this

# Limit each client IP address to 20 concurrent connections
when CLIENT_ACCEPTED {
# Check if the subtable has over 20 entries
if { [table keys -subtable connlimit:[IP::client_addr] -count] >= 20 } {
reject
} else {
# Add the client IP:port to the client IP-specific subtable
# with a max lifetime of 180 seconds
table set -subtable connlimit:[IP::client_addr] [TCP::client_port] "" 180
}
}
when CLIENT_CLOSED {
# When the client connection is closed, remove the table entry
table delete -subtable connlimit:[IP::client_addr] [TCP::client_port]
}

https://community.f5.com/t5/technical-articles/advanced-irules-tables/ta-p/290369
https://clouddocs.f5.com/api/irules/table.html#:~:text=If%20no%20timeout%20is%20specified,timeout%20will%20not%20be%20changed.

Mohamed_Ahmed_Kansoh

MVP

Hi S_Meulmeester ,

you can use Connection limit per virtual server and source ip subnet , look at this Article :
https://my.f5.com/manage/s/article/K45530602

don't bother yourself with complex irule in this case , it consumes your resources and sometimes you may not be able to measure the impact if you wrote it wrong or if it consumed alot of resources

S_Meulmeester

Cirrus

Oct 09, 2023

Hi,

That is not the same as what I need! what you propose is : Connection Rate Limit Mode = rate limiting per second so if i put it to 10 it will allow 10 connections per second = 600 connections per minute

I want to be able to limit a source ip to connect for example 200 sessions max and not per time interval.

Mohamed_Ahmed_Kansoh
MVP
Oct 09, 2023
Hi S_Meulmeester ,

Not rate limit , there is another option of connection limit.

if you put for ex 10 connection limit , if this source did 11 connection the 11th will be dropped till one of 10 concurrent connections goes out.

Don't go for rate limit

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

I need an irule to decline/refuse/ an incomming tcp session from a source to a vip (ip address/port)

Recent Discussions

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

ports are showing open on online scanning tool

Related Content

How to ensure source address and source port are accepted and traversed properly via F5 SNAT automap

"Port lockdown" option for SNAT pool addresses?

will the F5 log incoming connections into a log file?

Redirect TLS 1.1/1.2 clients & Append the incoming URL to the redirect target

Different Applications Sharing IP address and Port in a same server

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS