Date: Tue, 6 Feb 2001 10:18:15 +0200 From: Neil Blakey-Milner <nbm@mithrandr.moria.org> To: Lucas Bergman <lucas@slb.to> Cc: Richard Ward <mh@neonsky.net>, freebsd-questions@freebsd.org Subject: Re: Limiting connections w/ ftpd Message-ID: <20010206101815.A52096@rapier.smartspace.co.za> In-Reply-To: <20010205084218.A19317@billygoat.slb.to>; from lucas@slb.to on Mon, Feb 05, 2001 at 08:42:18AM -0600 References: <009d01c08f3d$f7a77de0$0101a8c0@pavilion> <20010205084218.A19317@billygoat.slb.to>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon 2001-02-05 (08:42), Lucas Bergman wrote:
> > I've been recently getting flooded with connections via ftp, and I
> > was wondering how to limit ftp connections per IP address to stop
> > "connection floods" from a single host name. I can't find much
> > documentation on the standard FreeBSD "ftpd" that explains how this
> > would be done.
>
> ftpd doesn't know how many simultaneous connections are being made,
> since each ftpd only handles one connection; inetd handles the
> starting of multiple daemons. Stock inetd does not have a facility
> for concurrency limits. You'll have to use /TCP Wrappers/ or
> /ucspi-tcp/; they're both in ports. I've used /ucspi-tcp/ with good
> results.
While ucspi-tcp is often my preferred solution, you're wrong about FreeBSD's
inetd; it can do concurrency and time-based limits. From the inetd man page:
-c maximum
Specify the default maximum number of simultaneous invocations of
each service; the default is unlimited. May be overridden on a
per-service basis with the "max-child" parameter.
-C rate
Specify the default maximum number of times a service can be in-
voked from a single IP address in one minute; the default is un-
limited. May be overridden on a per-service basis with the "max-
connections-per-ip-per-minute" parameter.
-R rate
Specify the maximum number of times a service can be invoked in
one minute; the default is 256. A rate of 0 allows an unlimited
number of invocations.
and...
The maximum number of outstanding child processes (or ``threads'') for a
``nowait'' service may be explicitly specified by appending a ``/'' fol-
lowed by the number to the ``nowait'' keyword.
and...
You can also specify the maximum number of connections per
minute for a given IP address by appending a ``/'' followed by the number
to the maximum number of outstanding child processes. Once the maximum
is reached, further connections from this IP address will be dropped un-
til the end of the minute.
Neil
--
Neil Blakey-Milner
nbm@mithrandr.moria.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010206101815.A52096>