Rate limiting with UFW: setting limits
Solution 1:
UFW is designed to be "uncomplicated," which in this case means you don't have control over the particulars of the rate to which connections are limited. If you want to dig into the Python source of UFW, you could find out how to tweak it. The appropriate information is (on my Ubuntu 10.04 system) in /usr/share/pyshared/ufw/backend_iptables.py
Setting the timing issue aside, therefore, here are some answers to your rapid-fire questions at the end.
Assuming 10.10.10.0/24 is your local network, this applies the default limiting rule to port 80/tcp incoming:
ufw limit from any to 10.10.10.0/24 port http comment 'limit web'and 3. Rate limiting is not turned on by default. To add it to every (destination) port except the range you want, use this rule. Note that rules (even with ranges) are atomic units and cannot be split up. You cannot, for example, add a rule for any port, then
deletea (nonexistent) rule for a particular range to remove it.limitis not an acceptable argument toufw default, either.ufw limit from any to any port 0:29999,30006:65535
Solution 2:
As mentioned on the previous post you can customize the user.rules. I need my smtp connection rate limit of up to 12 connections in 6 seconds. I added a rule as shown below first. Note: this adds a limit rule allowing 6 in 30 sec by default
ufw limit smtp
and I edited the /lib/ufw/user.rules (I keep a custom copy of this file with lot of other tweaks) as shown below ...
### tuple ### limit tcp 25 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --set
-A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 6 --hitcount 12 -j ufw-user-limit
-A ufw-user-input -p tcp --dport 25 -j ufw-user-limit-accept
Solution 3:
Rate limit can be changed on the UFW rules file which can be found /lib/ufw/user.rules.
By default there are no limits enabled for all ports. you should add every port manually or by editing user.rules file.