DDoS-Protection :: flexrules
flexrules are flexible rules, which can be created over both APIv3 and our Customer Area, allowing to accept (whitelist), discard (blacklist) traffic or configure functionality of network related DDoS-Protection (flowShield).
Please read the below points carefully to understand how flexrules are configured properly.
Flexrules can be created for single ip-prefixes (ipv4 /32) or whole subnets (ipv4 /24 for example), while using the longest-prefix-match principle. Longest-Prefix-Match (LPM) means only rules for the longest prefix will match, if you have rules for a /32 and /24 prefix available, only the /32 rules will be processed. If not rule for the /32 is present, but still for the /24, rules for the /24 are processed
Rules are processed before any other filter logic is hit, allowing to whitelist, blacklist traffic or configuring the following filter logic
Sequence numbers are used to indicate in which order flexrules for a single prefix are getting processed. Processing of flexrules stops at every match, means if you have a rule with sequence number 1 and another one with 2, but sequence number 1 matches due to it’s rule parameters (source-ip/protocol/etc.), sequence number 2 will not be processed
Rules are processed as a continous chain of sequence numbers, the very first rule for a prefix must start at sequence number 1 and all further rules must use 2,3,4,5 and so fort as sequence numbers, processing stops at the least continous rule in the chain. Means, if you have sequence number 1,2,3,4 and 6, processing stops at 4 as the continous chain stops at sequence number 4
You can use flexrules to achieve the following:
Accept or discard traffic by matching source-ip-address, ip-protocol, tcp-flags, payload and packet length until a certain ratelimit is reached
Strictly configure the filters, to only allow traffic on specific ports - or for specific applications, e.g. blocking all udp ports and only allowing certain gameserver specific traffic