From owner-freebsd-net@FreeBSD.ORG Fri May 30 06:38:33 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D27AC37B401 for ; Fri, 30 May 2003 06:38:32 -0700 (PDT) Received: from relay.macomnet.ru (relay.macomnet.ru [195.128.64.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FF5843FE0 for ; Fri, 30 May 2003 06:38:31 -0700 (PDT) (envelope-from maxim@macomnet.ru) Received: from news1.macomnet.ru (news1.macomnet.ru [195.128.64.14]) by relay.macomnet.ru (8.11.6/8.11.6) with ESMTP id h4UDcLb6173836; Fri, 30 May 2003 17:38:21 +0400 (MSD) Date: Fri, 30 May 2003 17:38:21 +0400 (MSD) From: Maxim Konovalov To: Andrew Gallatin In-Reply-To: <16087.23499.422415.378026@grasshopper.cs.duke.edu> Message-ID: <20030530173609.L69032@news1.macomnet.ru> References: <16087.23499.422415.378026@grasshopper.cs.duke.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-net@freebsd.org Subject: Re: limiting connections per IP w/FreeBSD ftpd? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 May 2003 13:38:33 -0000 On 09:25-0400, May 30, 2003, Andrew Gallatin wrote: > > At my company, some bonehead (not sure if it was maliciousness or just > a stupid customer), opened 60 simultaneous connections to our ftp > server and totally swamped our T1. This is the second or third time > this has happened recently. > > So I'm looking for some way to limit the number of connections per-IP. > I understand this may be bad for sites behind NAT boxes, or for > multiuser systems, and I don't want to start a thread debating its > merits. > > I'd like to avoid downgrading to one of the swiss-army knife ftpds > that always seems to have a vulnerability in the headlines, but I > don't have time to hack FreeBSD ftpd myself. > > So: Does anybody have patches to allow FreeBSD's ftpd to limit > connections per IP? Or am I stuck with proftpd or wuftpd a) run ftpd from inetd -s, man inetd; b) ipfw2 limit src-addr, man ipfw. -- Maxim Konovalov, maxim@macomnet.ru, maxim@FreeBSD.org