Re: [qmailtoaster] tcpserver limit patch

Wed, 24 Jan 2007 12:29:44 -0800 

Hi
Sure, I will add it tomorrow
if I remember how I added my other little tuts :)

Jean-Paul van de Plasse wrote:

Hey Philip,

No prob..
Maybe you can add this info to the wiki?

JP
----- Original Message ----- From: "Philip Nix Guru" <[EMAIL PROTECTED]>
To: <qmailtoaster-list@qmailtoaster.com>
Sent: Wednesday, January 24, 2007 9:12 PM
Subject: Re: [qmailtoaster] tcpserver limit patch



Hello
I tested the different functions
so far all seems to work good (didnt test DIEMSG though)

Thx JP
I used that patch a while ago and never had issues, so I am sure it will work fine 
maybe some docs for those who wanna use it could be helpful

just pasting infos from the .diff file

-------- cut here -----

+The variables are:
+
+(1) MAXLOAD + maximum 1-minute load average * 100. For example, if you have line + :allow,MAXLOAD="350" + in your rules file from which you created .cdb, the connection will be 
+    accepted only if load average is below 3.50
+
+    See COMPILING instructions above for info on supported systems.
+  +(2) MAXCONNIP
+ maximum connections from one IP address. tcpserver's -c flag defines 
+    maximum number of allowed connections, but it can be abused if
+ just one host goes wild and eats all the connections - no other host 
+    would be able to connect then. If you created your .cdb with:
+    :allow,MAXCONNIP="5"
+ and run tcpserver -c 50, then each IP address would be able to have at + most 5 concurrent connections, while there still could connect 50 
+    clients total.
+    0 is valid value and means 'always reject'
+
+(3) MAXCONNC
+
+ maximum connections from whole C-class (256 addresses). Extension of 
+    MAXCONNIP, as sometimes the problematic client has a whole farm of
+    client machines with different IP addresses instead of just one IP
+ address, and they all try to connect. It might have been more useful to + be able to specify CIDR block than C-class, but I've decided to KISS. 
+
+    for example tcpserver -c 200, and .cdb with:
+    :allow,MAXCONNC="15"
+    will allow at most 15 host from any x.y.z.0/24 address block, while
+    still allowing up to 200 total connections.
+    0 is valid value and means 'always reject'
+
+(4) DIEMSG
+ + if set and one of the above limits is exceeded, this is the message + to be sent to client (CRLF is always added to the text) before terminating + connection. If unset, the connection simply terminates (after 1 sec delay) + if limit is exceeded. 
+
+    For example:
+ DIEMSG="421 example.com Service temporarily not available, closing + transmission channel" 
+
+Notes: +
+- if a connection is dropped due to some of those variables set, it will be 
+  flagged (if you run tcpserver -v) with "LOAD:", "MAXCONNIP:" or
+ "MAXCONNC:" at the end of the "tcpserver: deny" line. If that bothers you + (eg. you have a strict log parsers), don't apply that chunk of the patch. 
+
+- the idea for this patch came from my previous experience with xinetd, and + need to limit incoming bursts of virus/spam SMTP connections, since I was + running qmail-scanner to scan incoming and outgoing messages for viruses 
+  and spam.
+
+When you make changes, please check that they work as expected. +
+Examples (for tcprules created .cdb)
+(a) 192.168.:allow,MAXLOAD="1000"
+    :allow,MAXCONNIP="3"
+
+    this would allow any connection from your local LAN (192.168.*.*
+ addresses) if system load is less than 10.00. non-LAN connections would + be accepted only if clients from that IP address have not already opened + more than 2 connections (as your connection would be last allowed -- 3rd) 
+
+(b) 192.168.:allow
+    5.6.7.8:allow,MAXCONNIP="3"
+    1.2.:allow,MAXLOAD="500",MAXCONNIP="1",MAXCONNC="5"
+ :allow,MAXLOAD="1000",MAXCONNIP="3",DIEMSG="421 example.com unavailable" 
+
+    if client connects from 192.168.*.* (ex: your LAN), it is allowed.
+    if it connects from 5.6.7.8 (ex: little abusive customer of yours),
+ it is allowed unless there are already 3active connections from 5.6.7.8 
+     to this service
+ if it connects from 1.2.*.* (ex: some problematic networks which caused + you grief in the past) it will connect only if load is less than 5.0, 
+     there is less than 5 active connections from whole C class
+ (1.2.*.0/24), and if that specific IP address does not already have 
+     connection open.
+ in all other cases, the client will be permitted to connect if load is + less than 10.00 and client has 2 or less connections open. If load is + higher than 10.00 or there are 3 or more connections open from this + client, the message "421 example.com unavailable" will be returned to + the client and connection terminated. 

--------- cut here -----------

_P
Jean-Paul van de Plasse wrote:

Thank you too, I just feel it is good to do something back..

I applied the patch and did not find any problems.
Have not tested the new functionality, since I do not really need it.
But the rpm can be downloaded at http://iserve01.i-serve.net/ucspi-tcp-toaster-0.88-1.3.4.src.rpm 
For more info see http://linux.voyager.hr/ucspi-tcp/
Maybe it can be placed on the devel site any time soon.

JP

----- Original Message ----- From: "Eric "Shubes"" <[EMAIL PROTECTED]>
To: <qmailtoaster-list@qmailtoaster.com>
Sent: Wednesday, January 24, 2007 5:03 PM
Subject: Re: [qmailtoaster] tcpserver limit patch



Thanks JP, for everything you do.

Jean-Paul van de Plasse wrote:

You need  ucspi-tcp-toaster-0.88-1.3.3.src.rpm from the devel site.

JP


----- Original Message ----- From: "Eric "Shubes"" <[EMAIL PROTECTED]>
To: <qmailtoaster-list@qmailtoaster.com>
Sent: Wednesday, January 24, 2007 4:40 PM
Subject: Re: [qmailtoaster] tcpserver limit patch



Thanks, JP.

BTW, do you know which qmail-toaster version I need for the rbl
timeout patch?

Jean-Paul van de Plasse wrote:

Hi,

Was a bit busy will do this today.

JP
----- Original Message ----- From: "Philip" <[EMAIL PROTECTED]>
To: <qmailtoaster-list@qmailtoaster.com>
Sent: Wednesday, January 24, 2007 12:12 PM
Subject: [qmailtoaster] tcpserver limit patch



Hello
Any news on implementing the tcp server limit patch ?
or is JP testing it ?

-P




--
-Eric 'shubes'

---------------------------------------------------------------------
    QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED] 





---------------------------------------------------------------------
    QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED] 




---------------------------------------------------------------------
    QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
    QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
    QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to