On 2002-06-21 00:35 +0000, Luigi Rizzo wrote: > On Thu, Jun 20, 2002 at 11:58:10PM -0700, Terry Lambert wrote: > > > in fact there is an ipfw rule which does just this: > > > > > > ipfw add allow ip from any to any limit src-addr 5 > > > > > > and here you go... > > > > Can this be done per port? THis is what both the FTP and the inetd > > modification movements have been about... > > ipfw add allow ip from any to any limit src-addr src-port 5 > > ... > > BTW in terms of implementation efficiency: this limit thing > uses the same hash table used by dynamic ipfw rules. > There is currently an (arbitrary) limit of a total of 1000 > dynamic entries in the table, but no reason not to raise it > much higher if you have memory.
The main reason I was looking for a userland implementation of this was that adding limiting to an FTP server that has an active number of a few thousand connections might be a little resource intensive to the kernel of the machine. It's probably OK to stay a bit to much within a userland function that searches a hash/list of addresses, but doing this in the kernel, is something I can't say I fully understand yet. I'm not familiar with the ipfw code. Would it be possible to limit the connections based on source address for a machine that has a few thousand connections and still not put a heavy load on the kernel? - Giorgos To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
