I have found the CP firewall to be quite useful at blocking very basic DoS attacks, but the downside is that some legitimate traffic can suffer. For example, if a single attacker is spamming packets containing a certain string and I rate-limit that to 10/s, then any legitimate traffic with the same string can still be lost. The thing that would really help is if there was a filter that doesn't block *all* incoming packets, but rather all packets from any single IP that meets the filter criteria (in other words, check rate and IP simultaneously as criteria).
In this case you should just block the IP entirely. If that IP is sending you malicious traffic it just needs to be blocked and not rate limited.
What you described is a little confusing, but from what I am getting out of it, it seems a little pointless to only block this string from this IP. If it's sending you malicious traffic, block it entirely.
Alternatively, if there was a filter that combined IP block with rate-limiting criteria, such that any single IP that sent X number of packets per second meeting Y criteria would then be blocked by the IP (like adding a new rule to block an IP); in other words, identify packets to block based on rate, but only block by IP.
This is pretty much available. You would just need to do a simple rate limit on the IP you want and where it says "this number per second" enter 1. This will than rate limit that IP if it sends more than a single packet per second, which is pretty much blocking it.
Another improvement that I do not think would be difficult (maybe I'm wrong) is to allow blocking of traffic directed *to* a specific port, rather than just from a specific port. I think this is possible by manually accessing the OS firewall, but the CP firewall is so much more convenient that it would be nice to have.
This is already possible, but doesn't show up when you select "all" inbound packets. You would need to select UDP or TCP from the drop down box. If you needed it for both you would just need to duplicate the rule.
Finally, much unwanted traffic comes from countries like China. Of course a user could manually add the entire IP range of China, but it would be quite convenient to have an automatic filter option like "Only allow traffic from North America and Europe" or something like that. I am probably not the only person who does not expect to ever have legitimate traffic from most of Asia.
This has definitely been suggested a few times. The problem is keeping that list up-to date and accurate. Not to mention, entire countries have a lot of IPs. Since this is a software firewall, having it block thousands upon thousands of IPs would hurt performance of the host machine.
.
