If you have found any bug, please post it to issue report.

Frequently Asked Questions

Can I limit session number for only a specific page?

Yes, you can limit the session number for only a specific page. However, you must turn off the Online Session Limit in the Firewall Panel first, as its scope is global and cannot be used in the same data pool.

After disabling Online Session Limit, you can utilize Shieldon's public API. For example, consider the following code:

if (strpos($_SERVER['REQUEST_URI'], 'faq/online-session-limit.html') !== false) {
    $firewall->getKernel()->limitSession(5, 300);

This page limits the maximum number of users to 5, with each user allowed to view the page for 300 seconds.

When a user enters this page and the user count has reached the limit, a dialog similar to the following screenshot will be displayed:

How do I block all IP addresses for a specific URL?

I haven't included the block all feature in the Firewall Panel to prevent some individuals from blocking all IP addresses associated with the URL /. Doing so would block all URLs, including access to the Firewall Panel. Instead, I suggest using the IP manager and setting up a specific IP range as needed.

If you want to block all IP addresses for a specific URL, the following code will assist you.

// Put this code before $firewall->run();
if (strpos($_SERVER['REQUEST_URI'], 'example/block-all.html') !== false) {

This is an example page that blocks all IP addresses from accessing it.

When a user is blocked, they will encounter a dialog similar to the screenshot below.

Warning: If you click this example link, you will be blocked from accessing this website. You have to wait for 60 minutes until the block is lifted.

What is the default login and password for Firewall Panel?

The default username is shieldon_user and the password is shieldon_pass. After logging into the Firewall Panel, the first thing you should do is change the username and password.

Can Shieldon Firewall truly mitigate DDOS attack?

For small-scale HTTP-type DDOS attacks, my answer is YES, but the real-life scenario can depend on many factors such as bandwidth, hardware quality, system adjustments, code quality, and more.

Let's consider a simple example. Assume that your website has an average page size of 3 MB, and your server has a bandwidth of 100 Mbps. Your server can handle a data rate of about 12.5 MB/s. If someone decides to maliciously attack your website, how many attack sources do you think it would take to overwhelm your server? This doesn't even take into account the potential strain on your MySQL connections.

Shieldon Firewall interrupts these malicious connections, returning a CAPTCHA page that is less than 50 KB in size. It halts further execution of PHP scripts, preventing further MySQL connections. In this way, Shieldon Firewall can save memory and CPU usage when your website is under attack. However, this is merely a mitigation strategy for HTTP-type DDOS attacks, not a final solution.