From owner-freebsd-questions Wed Jan 12 13:19:10 2000 Delivered-To: freebsd-questions@freebsd.org Received: from inbox.org (inbox.org [216.22.145.8]) by hub.freebsd.org (Postfix) with ESMTP id 85A7E1551C for ; Wed, 12 Jan 2000 13:19:06 -0800 (PST) (envelope-from bsd@inbox.org) Received: from localhost (bsd@localhost) by inbox.org (8.9.3/8.9.3) with SMTP id QAA26426; Wed, 12 Jan 2000 16:18:56 -0500 (EST) Date: Wed, 12 Jan 2000 16:18:56 -0500 (EST) From: "Mr. K." To: Sheldon Hearn Cc: questions@FreeBSD.ORG Subject: Re: limit connections per IP? In-Reply-To: <84894.947694397@axl.noc.iafrica.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 12 Jan 1900, Sheldon Hearn wrote: > On Wed, 12 Jan 1900 11:12:47 EST, "Mr. K." wrote: > > > Is there a way (perhaps with ipfw?) to limit the number of connections an > > IP address can make to your system? This seems to be the only way to > > handle a DOS attack from filling up your listen queue. > > Depends on the software. If you start things up out of inetd(8), then > there's per-service and global rate-limiting available. Consult the > inetd(8) manual page for details. > > Otherwise, the options available to you are application specific and thus > effective only on a per-service basis, if at all. > > Ciao, > Sheldon. > I am writing my own daemon. I know this can be done in user space, just keep a list and check after you do an accept(), but I was hoping there was a way to do it in kernel space before it even gets in my listen queue. Otherwise it seems trivial to fill up my listen queue faster than I can perform the accept()s. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message