From owner-freebsd-hackers Sat Nov 9 13:13:55 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA21309 for hackers-outgoing; Sat, 9 Nov 1996 13:13:55 -0800 (PST) Received: from mickey.umiacs.umd.edu (12222@mickey.umiacs.umd.edu [128.8.120.49]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA21286 for ; Sat, 9 Nov 1996 13:13:46 -0800 (PST) Received: (smpatel@localhost) by mickey.umiacs.umd.edu (8.7.6/UMIACS-0.9/04-05-88) id QAA04568; Sat, 9 Nov 1996 16:13:18 -0500 (EST) Date: Sat, 9 Nov 1996 16:13:17 -0500 (EST) From: Sujal Patel To: Julian Elischer cc: hackers@freebsd.org Subject: Re: Inetd mod.. comments? In-Reply-To: <3280EF24.ABD322C@whistle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 6 Nov 1996, Julian Elischer wrote: > I have some patches to Inetd her that I sent out for comment. > the only comment I got was > "Gee that's neat!, I need that" > > but no technical reviews or code checks.. Well, I looked *briefly* at this patch (I did not review it). It looked pretty good from my brief look, but I'd prefer to see this implemented as part of ipfw. I think this will give you a broader range of servics that can be protected (i.e. sendmail, ssh, etc). It will also moves the protection scheme to the kernel level which makes it faster, more efficient, and safer IMO. I can think of all sorts of cool things that could be done in ipfw (related to this): 1 - Rate limit incoming TCP connections to a specified port. 2 - Rate limit ICMP/UDP traffic. 3 - Limit the number of concurrent TCP connections to a port. 4 - Limit the number of concurrent TCP connections from a host/domain. The way I see it, the only reason to ever do this sort of thing in userspace is if you actually wanted to limit services based on a DNS reverse lookup (i.e. Limit concurrent TCP connections from outside of Europe). Just my 3 cents. Sujal