I have an issue with some users that open up obsurd numbers of connections through the firewall at times due to filesharing, poorly written web apps, etc. I'd like to limit the number of connections per-host to say.. 100.
I've implemented the following configuration on a PIX515E running 7.2(4) and supporting about 100 users as a test before I implement it on our ASA5520s with 7.2(4) which support around 3000 users.
access-list limit-conns extended deny ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list limit-conns extended deny ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
access-list limit-conns extended permit ip 10.4.5.0 255.255.255.0 any
access-list limit-conns extended deny ip any any
match access-list limit-conns
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
set connection per-client-max 75
service-policy global_policy global
It seems to be working, because from time-to-time I'll see the following messages in the syslog:
Aug 12 2008 11:53:22: %PIX-3-201013: Per-client connection limit exceeded 75/75 for input packet from 10.4.5.183/2351 to 18.104.22.168/80 on interface inside
I have a perl script that I created that will log into the firewall and parse the connection data so I have an idea of who has how many connections open... With the above config in place and even when I see the syslog message, I check the connection counts and see hosts with 150-ish connections at times.
From what I have read, the policy should enforce the 75 connection limit shouldn't it? Is there somthing I'm missing? THanks.