[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf compatiblity w/ other unix OS



On Mon, Jun 03, 2002 at 03:35:55PM +0200, Daniel Hartmeier wrote:
> If you want to protect a web server from too many concurrent
> connections (no matter what client addresses), the per-rule limit would
> work, wouldn't it?

  The problem here is 'no matter what client addresses'.
  
  If you allow 1000 concurrent sessions on your web server, anyone can open
1000 sockets (from the same IP) and keep them alive so that nobody else can
connect.

  Rate limitation (X connections in Y seconds) like Linux does is probably
bloat. But per-state is not enough, it should depend on source IPs to
address that issue.

--
__  /*-      Frank DENIS (Jedi/Sector One) <j_(_at_)_42-Networks_(_dot_)_Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>  \/



Visit your host, monkey.org