From owner-freebsd-hackers Fri Jun 21 6:31:33 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 8B47737B409 for ; Fri, 21 Jun 2002 06:31:27 -0700 (PDT) Received: from hades.hell.gr (patr530-b229.otenet.gr [212.205.244.237]) by mailsrv.otenet.gr (8.12.3/8.12.3) with ESMTP id g5LDVNuD018225; Fri, 21 Jun 2002 16:31:24 +0300 (EEST) Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.4/8.12.4) with ESMTP id g5LDVILN002596; Fri, 21 Jun 2002 16:31:18 +0300 (EEST) (envelope-from keramida@FreeBSD.org) Received: (from charon@localhost) by hades.hell.gr (8.12.4/8.12.4/Submit) id g5LDVHft002595; Fri, 21 Jun 2002 16:31:17 +0300 (EEST) (envelope-from keramida@FreeBSD.org) Date: Fri, 21 Jun 2002 16:31:17 +0300 From: Giorgos Keramidas To: Terry Lambert Cc: hackers@FreeBSD.org Subject: Re: Limiting clients per source IP address (ftpd, inetd, etc.) Message-ID: <20020621133117.GB2476@hades.hell.gr> References: <20020621000924.GA2178@hades.hell.gr> <3D129CA8.EFADA4FF@mindspring.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D129CA8.EFADA4FF@mindspring.com> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 2002-06-20 20:25 +0000, Terry Lambert wrote: > Giorgos Keramidas wrote: > > I've been thinking for quite some time to add per-client-IP limiting > > to ftpd, and I had almost decided upon something like the following, > > where each child of ftpd has two numbers associated with it. > > Someone just did something similar for inetd (per IP per port). I know. I missed that post (probably deleted it accidentally), and a friend told me that this was being discussed. Since I had been giving the topic a big of thought, I thought I'd post what I had and ask for comments. The friend who notified me about this mentioned that a linear list was being used and what I had so far would probably be OK for inetd too. > The more I think about this, and the fact that there is code growing > to do basically the same thing in every program, the more I think > that the code to do this needs to be centralized. A simple core reuse of ../../foo.c would probably be sufficient in this case, since the part that does the limiting only needs the following interface: find_client_addr(); find_client_pid(); add_client(addr, pid); del_client(pid); /* called by reapchild() */ > Putting this code into a seperate daemon, or even natd, makes a > lot more sense to me than hacking up the kernel, or every network > application ever written. Sound very general to me, and I can't say I don't like the idea. - Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message