From owner-freebsd-hackers Fri Jun 21 3:43:20 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from amsfep14-int.chello.nl (amsfep14-int.chello.nl [213.46.243.21]) by hub.freebsd.org (Postfix) with ESMTP id EF64337B406 for ; Fri, 21 Jun 2002 03:43:14 -0700 (PDT) Received: from hibernate.cryolabs.net ([213.132.151.88]) by amsfep14-int.chello.nl (InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with SMTP id <20020621104313.OCJY25038.amsfep14-int.chello.nl@hibernate.cryolabs.net> for ; Fri, 21 Jun 2002 12:43:13 +0200 Received: (qmail 27481 invoked from network); 21 Jun 2002 12:42:54 +0200 Received: from unknown (HELO ice.cryolabs.net) (192.168.196.1) by hibernate.cryolabs.net with SMTP; 21 Jun 2002 12:42:54 +0200 Received: from cocaine.cryolabs.net (cocaine.cryolabs.net [192.168.196.5]) by ice.cryolabs.net (Postfix) with ESMTP id 4C25B1AA; Fri, 21 Jun 2002 12:42:42 +0200 (CEST) Subject: Re: Limiting clients per source IP address (ftpd, inetd, etc.) From: Wouter Van Hemel To: Terry Lambert Cc: Giorgos Keramidas , hackers@FreeBSD.org In-Reply-To: <3D129CA8.EFADA4FF@mindspring.com> References: <20020621000924.GA2178@hades.hell.gr> <3D129CA8.EFADA4FF@mindspring.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7 Date: 21 Jun 2002 12:43:26 +0200 Message-Id: <1024656206.277.9.camel@cocaine> Mime-Version: 1.0 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 2002-06-21 at 05:25, Terry Lambert wrote: > Giorgos Keramidas wrote: > > I've been thinking for quite some time to add per-client-IP limiting > > to ftpd, and I had almost decided upon something like the following, > > where each child of ftpd has two numbers associated with it. The > > client IP address, and the PID of the ftpd child that serves it. The > > hash at the beginning of the lists serves as a minor assistance in > > splitting the 2^32 address space in smaller chunks so that we don't > > end up with a singly linked list of a few thousand entries. > > Someone just did something similar for inetd (per IP per port). > > The more I think about this, and the fact that there is code growing > to do basically the same thing in every program, the more I think > that the code to do this needs to be centralized. > I agree with this... but I think that the reason many people like to do it by implementing the limitation in the daemon, is that they can send back some kind of reply, stating the reason of the refusal (which is a nice thing to do, since so many people are behind proxies, sharing the same ip). In that case, you need to speak the protocol of the specific service, even though most of it is plain text anyway. If not, the ipfw method works just fine. Just a thought. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message