Date: 21 Jun 2002 12:43:26 +0200 From: Wouter Van Hemel <wouter@pair.com> To: Terry Lambert <tlambert2@mindspring.com> Cc: Giorgos Keramidas <keramida@FreeBSD.org>, hackers@FreeBSD.org Subject: Re: Limiting clients per source IP address (ftpd, inetd, etc.) Message-ID: <1024656206.277.9.camel@cocaine> In-Reply-To: <3D129CA8.EFADA4FF@mindspring.com> References: <20020621000924.GA2178@hades.hell.gr> <3D129CA8.EFADA4FF@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 2002-06-21 at 05:25, Terry Lambert wrote: > Giorgos Keramidas wrote: > > I've been thinking for quite some time to add per-client-IP limiting > > to ftpd, and I had almost decided upon something like the following, > > where each child of ftpd has two numbers associated with it. The > > client IP address, and the PID of the ftpd child that serves it. The > > hash at the beginning of the lists serves as a minor assistance in > > splitting the 2^32 address space in smaller chunks so that we don't > > end up with a singly linked list of a few thousand entries. > > Someone just did something similar for inetd (per IP per port). > > The more I think about this, and the fact that there is code growing > to do basically the same thing in every program, the more I think > that the code to do this needs to be centralized. > I agree with this... but I think that the reason many people like to do it by implementing the limitation in the daemon, is that they can send back some kind of reply, stating the reason of the refusal (which is a nice thing to do, since so many people are behind proxies, sharing the same ip). In that case, you need to speak the protocol of the specific service, even though most of it is plain text anyway. If not, the ipfw method works just fine. Just a thought. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1024656206.277.9.camel>