Date: Sat, 9 Nov 1996 16:13:17 -0500 (EST) From: Sujal Patel <smpatel@umiacs.umd.edu> To: Julian Elischer <julian@whistle.com> Cc: hackers@freebsd.org Subject: Re: Inetd mod.. comments? Message-ID: <Pine.OSF.3.91.961109160517.3417C-100000@mickey.umiacs.umd.edu> In-Reply-To: <3280EF24.ABD322C@whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 6 Nov 1996, Julian Elischer wrote: > I have some patches to Inetd her that I sent out for comment. > the only comment I got was > "Gee that's neat!, I need that" > > but no technical reviews or code checks.. Well, I looked *briefly* at this patch (I did not review it). It looked pretty good from my brief look, but I'd prefer to see this implemented as part of ipfw. I think this will give you a broader range of servics that can be protected (i.e. sendmail, ssh, etc). It will also moves the protection scheme to the kernel level which makes it faster, more efficient, and safer IMO. I can think of all sorts of cool things that could be done in ipfw (related to this): 1 - Rate limit incoming TCP connections to a specified port. 2 - Rate limit ICMP/UDP traffic. 3 - Limit the number of concurrent TCP connections to a port. 4 - Limit the number of concurrent TCP connections from a host/domain. The way I see it, the only reason to ever do this sort of thing in userspace is if you actually wanted to limit services based on a DNS reverse lookup (i.e. Limit concurrent TCP connections from outside of Europe). Just my 3 cents. Sujal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.3.91.961109160517.3417C-100000>