Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chris_75
Participant
Jump to solution

fwaccel6 dos rate command - IPv6

Hello,

In order to protect ourself from DOS traffic towards our DNS servers, we try to install command similar to the following on our checkpoint security gateway.

 

Security gateway cluster, R81.20.

 

fwaccel6 dos rate add -l a -a d -n "DNSintProtectRateIPv6" destination range:xyz1:620:40z:2:0:0:0:110-xyz1:620:40z:2:0:0:0:111 service 17/53 new-conn-rate 250 track source
ERROR: address is too long
ERROR: invalid begin
ERROR: Bad destination 'range:xyz1:620:40z:2:0:0:0:110-xyz1:620:40z:2:0:0:0:111'

 

We tried with various IPv6 notation, short notation, fully expanded notation, same result.

We tried also with the destination as cidr, with or without mask, same result.

In the documentation and in the forum we could not find examples with the correct notation.

Can we use this command for IPv6? Do you have anexample of a correct syntax for the IPv6 address? 

 

Thanks for you 

Christophe

 

 

0 Kudos
1 Solution

Accepted Solutions
Chris_75
Participant

I could open a ticket, it looks like we need to put bracket for the ipv6 address, like:

Clish> fwaccel6 dos rate add -a d -l a destination range:[1:620:40:2:0:0:0:110]-[1:620:40:2:0:0:0:111] service 17/53 new-conn-rate 250 track source

It worked for me.

Thx

View solution in original post

0 Kudos
4 Replies
_Val_
Admin
Admin

It is supposed to be a single IP for destination, not range. Please try adding two IP addresses consecutively with two different commands

0 Kudos
Chris_75
Participant

Hi, thx for the suggestion.

Seems to behave in the same way, see below:

ngf01:mplane> fwaccel6 dos rate add -l a -a d destination range:xyz1:620:40z:2:0:0:0:110 service 17/53 new-conn-rate 250 track source
ERROR: address is too long
ERROR: invalid begin
ERROR: Bad destination 'range:xyz1:620:40z:2:0:0:0:110'
ngf01:mplane> fwaccel6 dos rate add -l a -a d destination range:xyz1:620:40z:2::110 service 17/53 new-conn-rate 250 track source
ERROR: address is too long
ERROR: invalid begin
ERROR: Bad destination 'range:xyz1:620:40z:2::110'
ngf01:mplane> fwaccel6 dos rate add -l a -a d destination cidr:xyz1:620:40z:2::110 service 17/53 new-conn-rate 250 track source
ERROR: address is too long
ERROR: invalid net
ERROR: Bad destination 'cidr:xyz1:620:40z:2::110'
ngf01:mplane>

0 Kudos
_Val_
Admin
Admin

Should be "fwaccel6 dos rate add -l a -a d destination xyz1:620:40z:2:0:0:0:110 service 17/53 new-conn-rate 250 track source"

Please stick to the documented syntax.

0 Kudos
Chris_75
Participant

I could open a ticket, it looks like we need to put bracket for the ipv6 address, like:

Clish> fwaccel6 dos rate add -a d -l a destination range:[1:620:40:2:0:0:0:110]-[1:620:40:2:0:0:0:111] service 17/53 new-conn-rate 250 track source

It worked for me.

Thx

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events