From owner-freebsd-hackers Fri Jun 21 6:36:56 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 830F737B409 for ; Fri, 21 Jun 2002 06:36:39 -0700 (PDT) Received: from hades.hell.gr (patr530-b229.otenet.gr [212.205.244.237]) by mailsrv.otenet.gr (8.12.3/8.12.3) with ESMTP id g5LDaZuD027411; Fri, 21 Jun 2002 16:36:37 +0300 (EEST) Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.4/8.12.4) with ESMTP id g5LDaVLN002678; Fri, 21 Jun 2002 16:36:31 +0300 (EEST) (envelope-from keramida@FreeBSD.org) Received: (from charon@localhost) by hades.hell.gr (8.12.4/8.12.4/Submit) id g5LDaRkv002677; Fri, 21 Jun 2002 16:36:27 +0300 (EEST) (envelope-from keramida@FreeBSD.org) Date: Fri, 21 Jun 2002 16:36:26 +0300 From: Giorgos Keramidas To: Luigi Rizzo Cc: Terry Lambert , hackers@FreeBSD.org Subject: Re: Limiting clients per source IP address (ftpd, inetd, etc.) Message-ID: <20020621133626.GC2476@hades.hell.gr> References: <20020621000924.GA2178@hades.hell.gr> <3D129CA8.EFADA4FF@mindspring.com> <20020620222032.A73450@iguana.icir.org> <3D12CE82.C6761D96@mindspring.com> <20020621003518.A77089@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020621003518.A77089@iguana.icir.org> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 2002-06-21 00:35 +0000, Luigi Rizzo wrote: > On Thu, Jun 20, 2002 at 11:58:10PM -0700, Terry Lambert wrote: > > > in fact there is an ipfw rule which does just this: > > > > > > ipfw add allow ip from any to any limit src-addr 5 > > > > > > and here you go... > > > > Can this be done per port? THis is what both the FTP and the inetd > > modification movements have been about... > > ipfw add allow ip from any to any limit src-addr src-port 5 > > ... > > BTW in terms of implementation efficiency: this limit thing > uses the same hash table used by dynamic ipfw rules. > There is currently an (arbitrary) limit of a total of 1000 > dynamic entries in the table, but no reason not to raise it > much higher if you have memory. The main reason I was looking for a userland implementation of this was that adding limiting to an FTP server that has an active number of a few thousand connections might be a little resource intensive to the kernel of the machine. It's probably OK to stay a bit to much within a userland function that searches a hash/list of addresses, but doing this in the kernel, is something I can't say I fully understand yet. I'm not familiar with the ipfw code. Would it be possible to limit the connections based on source address for a machine that has a few thousand connections and still not put a heavy load on the kernel? - Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message