https://community.checkpoint.com/t5/Firewall-and-Security-Management/fwaccel6-dos-rate-command-IPv6/m-p/205875#M38865 <P>Hello,</P><P>In order to protect ourself from DOS traffic towards our DNS servers, we try to install command similar to the following on our checkpoint security gateway.</P><P>&nbsp;</P><P>Security gateway cluster, R81.20.</P><P>&nbsp;</P><P>fwaccel6 dos rate add -l a -a d -n "DNSintProtectRateIPv6" destination range:xyz1:620:40z:2:0:0:0:110-xyz1:620:40z:2:0:0:0:111 service 17/53 new-conn-rate 250 track source<BR />ERROR: address is too long<BR />ERROR: invalid begin<BR />ERROR: Bad destination 'range:xyz1:620:40z:2:0:0:0:110-xyz1:620:40z:2:0:0:0:111'</P><P>&nbsp;</P><P>We tried with various IPv6 notation, short notation, fully expanded notation, same result.</P><P>We tried also with the destination as cidr, with or without mask, same result.</P><P>In the documentation and in the forum we could not find examples with the correct notation.</P><P>Can we use this command for IPv6? Do you have anexample of a correct syntax for the IPv6 address?&nbsp;</P><P>&nbsp;</P><P>Thanks for you&nbsp;</P><P>Christophe</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 13 Feb 2024 10:07:40 GMT Chris_75 2024-02-13T10:07:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/fwaccel6-dos-rate-command-IPv6/m-p/205875#M38865 <P>Hello,</P><P>In order to protect ourself from DOS traffic towards our DNS servers, we try to install command similar to the following on our checkpoint security gateway.</P><P>&nbsp;</P><P>Security gateway cluster, R81.20.</P><P>&nbsp;</P><P>fwaccel6 dos rate add -l a -a d -n "DNSintProtectRateIPv6" destination range:xyz1:620:40z:2:0:0:0:110-xyz1:620:40z:2:0:0:0:111 service 17/53 new-conn-rate 250 track source<BR />ERROR: address is too long<BR />ERROR: invalid begin<BR />ERROR: Bad destination 'range:xyz1:620:40z:2:0:0:0:110-xyz1:620:40z:2:0:0:0:111'</P><P>&nbsp;</P><P>We tried with various IPv6 notation, short notation, fully expanded notation, same result.</P><P>We tried also with the destination as cidr, with or without mask, same result.</P><P>In the documentation and in the forum we could not find examples with the correct notation.</P><P>Can we use this command for IPv6? Do you have anexample of a correct syntax for the IPv6 address?&nbsp;</P><P>&nbsp;</P><P>Thanks for you&nbsp;</P><P>Christophe</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 13 Feb 2024 10:07:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/fwaccel6-dos-rate-command-IPv6/m-p/205875#M38865 Chris_75 2024-02-13T10:07:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/fwaccel6-dos-rate-command-IPv6/m-p/205888#M38866 <P>It is supposed to be a single IP for destination, not range. Please try adding two IP addresses consecutively with two different commands</P> Tue, 13 Feb 2024 10:58:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/fwaccel6-dos-rate-command-IPv6/m-p/205888#M38866 _Val_ 2024-02-13T10:58:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/fwaccel6-dos-rate-command-IPv6/m-p/205943#M38870 <P>Hi, thx for the suggestion.</P><P>Seems to behave in the same way, see below:</P><P>ngf01:mplane&gt; fwaccel6 dos rate add -l a -a d destination range:xyz1:620:40z:2:0:0:0:110 service 17/53 new-conn-rate 250 track source<BR />ERROR: address is too long<BR />ERROR: invalid begin<BR />ERROR: Bad destination 'range:xyz1:620:40z:2:0:0:0:110'<BR />ngf01:mplane&gt; fwaccel6 dos rate add -l a -a d destination range:xyz1:620:40z:2::110 service 17/53 new-conn-rate 250 track source<BR />ERROR: address is too long<BR />ERROR: invalid begin<BR />ERROR: Bad destination 'range:xyz1:620:40z:2::110'<BR />ngf01:mplane&gt; fwaccel6 dos rate add -l a -a d destination cidr:xyz1:620:40z:2::110 service 17/53 new-conn-rate 250 track source<BR />ERROR: address is too long<BR />ERROR: invalid net<BR />ERROR: Bad destination 'cidr:xyz1:620:40z:2::110'<BR />ngf01:mplane&gt;</P> Tue, 13 Feb 2024 14:40:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/fwaccel6-dos-rate-command-IPv6/m-p/205943#M38870 Chris_75 2024-02-13T14:40:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/fwaccel6-dos-rate-command-IPv6/m-p/206043#M38918 <P>Should be "<SPAN>fwaccel6 dos rate add -l a -a d destination xyz1:620:40z:2:0:0:0:110 service 17/53 new-conn-rate 250 track source"<BR /><BR />Please stick to the documented syntax.</SPAN></P> Wed, 14 Feb 2024 10:46:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/fwaccel6-dos-rate-command-IPv6/m-p/206043#M38918 _Val_ 2024-02-14T10:46:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/fwaccel6-dos-rate-command-IPv6/m-p/207349#M39207 <P>I could open a ticket, it looks like we need to put bracket for the ipv6 address, like:</P><P>Clish&gt; fwaccel6 dos rate add -a d -l a destination range:[1:620:40:2:0:0:0:110]-[1:620:40:2:0:0:0:111] service 17/53 new-conn-rate 250 track source</P><P>It worked for me.</P><P>Thx</P> Wed, 28 Feb 2024 10:19:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/fwaccel6-dos-rate-command-IPv6/m-p/207349#M39207 Chris_75 2024-02-28T10:19:16Z