Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 Feb 2001 10:18:15 +0200
From:      Neil Blakey-Milner <nbm@mithrandr.moria.org>
To:        Lucas Bergman <lucas@slb.to>
Cc:        Richard Ward <mh@neonsky.net>, freebsd-questions@freebsd.org
Subject:   Re: Limiting connections w/ ftpd
Message-ID:  <20010206101815.A52096@rapier.smartspace.co.za>
In-Reply-To: <20010205084218.A19317@billygoat.slb.to>; from lucas@slb.to on Mon, Feb 05, 2001 at 08:42:18AM -0600
References:  <009d01c08f3d$f7a77de0$0101a8c0@pavilion> <20010205084218.A19317@billygoat.slb.to>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon 2001-02-05 (08:42), Lucas Bergman wrote:
> > I've been recently getting flooded with connections via ftp, and I
> > was wondering how to limit ftp connections per IP address to stop
> > "connection floods" from a single host name. I can't find much
> > documentation on the standard FreeBSD "ftpd" that explains how this
> > would be done.
> 
> ftpd doesn't know how many simultaneous connections are being made,
> since each ftpd only handles one connection; inetd handles the
> starting of multiple daemons.  Stock inetd does not have a facility
> for concurrency limits.  You'll have to use /TCP Wrappers/ or
> /ucspi-tcp/; they're both in ports.  I've used /ucspi-tcp/ with good
> results.

While ucspi-tcp is often my preferred solution, you're wrong about FreeBSD's
inetd; it can do concurrency and time-based limits.  From the inetd man page:

     -c maximum
             Specify the default maximum number of simultaneous invocations of
             each service; the default is unlimited.  May be overridden on a
             per-service basis with the "max-child" parameter.

     -C rate
             Specify the default maximum number of times a service can be in-
             voked from a single IP address in one minute; the default is un-
             limited.  May be overridden on a per-service basis with the "max-
             connections-per-ip-per-minute" parameter.

     -R rate
             Specify the maximum number of times a service can be invoked in
             one minute; the default is 256.  A rate of 0 allows an unlimited
             number of invocations.

and...

     The maximum number of outstanding child processes (or ``threads'') for a
     ``nowait'' service may be explicitly specified by appending a ``/'' fol-
     lowed by the number to the ``nowait'' keyword.

and...

                    You can also specify the maximum number of connections per
     minute for a given IP address by appending a ``/'' followed by the number
     to the maximum number of outstanding child processes.  Once the maximum
     is reached, further connections from this IP address will be dropped un-
     til the end of the minute.

Neil
-- 
Neil Blakey-Milner
nbm@mithrandr.moria.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010206101815.A52096>