What does tcp mean?
Is there any general documentation/explanation about these expressions?
It means the 13th octet of the TCP header, which is where the SYN flag is stored, which is used to identify new TCP sessions.
PHREL uses libcap internally to look at packets, which is also what tcpdump uses. Any rule you can build in tpcudmp, can be used with phrel to rate limit or block packets. The tcpdump man page has a great deal of information on how to look at packets. When you get into complex policies like this, an understanding of TCP headers helps though.
How to protect httpd protocol or port 80 with PHREL ???
This configuration will block any host that is attempting to open more than 10 TCP sessions a second on port 80 (HTTP), averaged over 30 seconds (default window). This rule is looking at port 80 and only the TCP SYN flag, which identifier new TCP sessions:
# phreld -T 10:0 'port 80 and tcp == 2'