Rate limiting with UFW: setting limits

UFW is designed to be "uncomplicated," which in this case means you don't have control over the particulars of the rate to which connections are limited. If you want to dig into the Python source of UFW, you could find out how to tweak it. The appropriate information is (on my Ubuntu 10.04 system) in /usr/share/pyshared/ufw/backend_iptables.py

Setting the timing issue aside, therefore, here are some answers to your rapid-fire questions at the end.

1. Assuming 10.10.10.0/24 is your local network, this applies the default limiting rule to port 80/tcp incoming:

   ufw limit from any to 10.10.10.0/24 port http comment 'limit web'
   

2. and 3. Rate limiting is not turned on by default. To add it to every (destination) port except the range you want, use this rule. Note that rules (even with ranges) are atomic units and cannot be split up. You cannot, for example, add a rule for any port, then delete a (nonexistent) rule for a particular range to remove it. limit is not an acceptable argument to ufw default, either.

   ufw limit from any to any port 0:29999,30006:65535
   

As mentioned on the previous post you can customize the user.rules. I need my smtp connection rate limit of up to 12 connections in 6 seconds. I added a rule as shown below first. Note: this adds a limit rule allowing 6 in 30 sec by default

ufw limit smtp

and I edited the /lib/ufw/user.rules (I keep a custom copy of this file with lot of other tweaks) as shown below ...

### tuple ### limit tcp 25 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --set
-A ufw-user-input -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 6 --hitcount 12 -j ufw-user-limit
-A ufw-user-input -p tcp --dport 25 -j ufw-user-limit-accept

Rate limit can be changed on the UFW rules file which can be found /lib/ufw/user.rules.

By default there are no limits enabled for all ports. you should add every port manually or by editing user.rules file.

It is worthwhile to point out possible unintended consequences of using ufw's LIMIT feature.

Suppose one placed a blanket limit on port 22/tcp as the first ufw rule:

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     LIMIT IN    Anywhere                  
...

with the assumption that any connections operating under the limit could still be filtered by following ufw rules and finally the default policy of "deny(incoming)".

At least for ufw 0.35, that assumption would be wrong. In fact the LIMIT IN logic immediately accepts any input not rejected by the limit criterion.

In psuedocode, the LIMIT logic is

if CONDITION then DENY else ACCEPT

whereas other ufw rules seem to have logic:

if CONDITION then (DENY|ACCEPT) else continue to next rule.

I personally found that to be unexpected behavior for ufw LIMIT, which I only discovered by unexpectedly finding many port 22 login attempts in the system log file which should have never happened due to filtered by other ufw rules.

Details of behavior confirmation

The relevant lines of iptables code inserted by ufw are as follows:

-A ufw-user-input -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 --name DEFAULT --mask 255.255.255.255 --rsource -j ufw-user-limit
-A ufw-user-input -p tcp -m tcp --dport 22 -j ufw-user-limit-accept
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

The above listing can be created with

iptables -S | grep ufw-user-limit

The first two lines are consecutive in ufw-user-input which can be confirmed with

iptables -S | grep ufw-user-input