[j-nsp] per flow rate-limiting on Juniper equipment
Martin T
m4rtntns at gmail.com
Wed Dec 2 03:44:52 EST 2015
Hi,
which Juniper products support per flow rate-limiting? I mean similar
functionality to for example iptables "recent"
module(http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.16).
For example following iptables rules build dynamic source IP list if
new(not a reply traffic) UDP traffic with source port 53 enter the
interface eth0 and allow 4 packets within 10 seconds per IP address
through:
# iptables -t filter -L FORWARD -nv --line-numbers
Chain FORWARD (policy ACCEPT 9 packets, 1704 bytes)
num pkts bytes target prot opt in out source
destination
1 40 7200 udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW recent: SET name:
DNS-traffic-sources side: source mask: 255.255.255.255
2 34 6120 DROP udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW recent: UPDATE seconds: 10
hit_count: 4 name: DNS-traffic-sources side: source mask:
255.255.255.255
#
Is there any Juniper equipment which is able to do this?
thanks,
Martin
More information about the juniper-nsp
mailing list