Add the following to your rules file:

# allow http
ACCEPT net $FW tcp 80 - - s:20/min:30
# allow https
ACCEPT net $FW tcp 443 - - s:20/min:30

Make sure you don't have any rule that accepts traffic on these ports before these rules. Shorewall evaluates rules in the order they are listed in the file.

Test with apache benchmark:

ab -n 100 -c 50 https://www.example.org

Number of request per second should be significantly higher without rate limits in place and after will be lower.

• https://shorewall.org/ConnectionRate.html#idm47
• https://swiperproxy.github.io/documentation/sys-shorewall.html
• https://www.baeldung.com/linux/iptables-packet-rate-limit