From owner-freebsd-hackers  Fri Jun 21  6:47: 2 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from scribble.fsn.hu (scribble.fsn.hu [193.224.40.95])
	by hub.freebsd.org (Postfix) with SMTP id 508EC37B40B
	for <hackers@FreeBSD.org>; Fri, 21 Jun 2002 06:46:47 -0700 (PDT)
Received: (qmail 2238 invoked by uid 1000); 21 Jun 2002 13:46:43 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 21 Jun 2002 13:46:43 -0000
Date: Fri, 21 Jun 2002 15:46:43 +0200 (CEST)
From: Attila Nagy <bra@fsn.hu>
To: Giorgos Keramidas <keramida@FreeBSD.org>
Cc: Luigi Rizzo <rizzo@icir.org>,
	Terry Lambert <tlambert2@mindspring.com>, <hackers@FreeBSD.org>
Subject: Re: Limiting clients per source IP address (ftpd, inetd, etc.)
In-Reply-To: <20020621133626.GC2476@hades.hell.gr>
Message-ID: <Pine.LNX.4.44.0206211539180.907-100000@scribble.fsn.hu>
References: <20020621000924.GA2178@hades.hell.gr> <3D129CA8.EFADA4FF@mindspring.com>
 <20020620222032.A73450@iguana.icir.org> <3D12CE82.C6761D96@mindspring.com>
 <20020621003518.A77089@iguana.icir.org> <20020621133626.GC2476@hades.hell.gr>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Hello,

> The main reason I was looking for a userland implementation of this was
> that adding limiting to an FTP server that has an active number of a few
> thousand connections might be a little resource intensive to the kernel
> of the machine.  It's probably OK to stay a bit to much within a
> userland function that searches a hash/list of addresses, but doing this
> in the kernel, is something I can't say I fully understand yet.
Not only this. For example take the normal inetd behaviour for an FTP
server.
If the ftpd child processes grow above the limit, inetd simply won't spawn
others.
The users think that the service is dying (because it can be pinged, but
the client can't log on) and begin to flame the operator (such a lame
service :).
Imagine this with the per IP address limit (this will hit more users,
because of proxies, NAT boxes, etc).

I think it is much better if the daemon can report this via a simple text
message.
The user limit thing is the last which is necessary to the FreeBSD ftpd
for running an anonymous server.

--------[ Free Software ISOs - ftp://ftp.fsn.hu/pub/CDROM-Images/ ]-------
Attila Nagy					e-mail: Attila.Nagy@fsn.hu
Free Software Network (FSN.HU)		  phone @work: +361 210 1415 (194)
						cell.: +3630 306 6758


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message