Hello
I tested the different functions
so far all seems to work good (didnt test DIEMSG though)
Thx JP
I used that patch a while ago and never had issues, so I am sure it
will work fine
maybe some docs for those who wanna use it could be helpful
just pasting infos from the .diff file
-------- cut here -----
+The variables are:
+
+(1) MAXLOAD + maximum 1-minute load average * 100. For example,
if you have line
+ :allow,MAXLOAD="350" + in your rules file from which you
created .cdb, the connection will be
+ accepted only if load average is below 3.50
+
+ See COMPILING instructions above for info on supported systems.
+ +(2) MAXCONNIP
+ maximum connections from one IP address. tcpserver's -c flag
defines
+ maximum number of allowed connections, but it can be abused if
+ just one host goes wild and eats all the connections - no other
host
+ would be able to connect then. If you created your .cdb with:
+ :allow,MAXCONNIP="5"
+ and run tcpserver -c 50, then each IP address would be able to
have at + most 5 concurrent connections, while there still could
connect 50
+ clients total.
+ 0 is valid value and means 'always reject'
+
+(3) MAXCONNC
+
+ maximum connections from whole C-class (256 addresses).
Extension of
+ MAXCONNIP, as sometimes the problematic client has a whole farm of
+ client machines with different IP addresses instead of just one IP
+ address, and they all try to connect. It might have been more
useful to
+ be able to specify CIDR block than C-class, but I've decided to
KISS.
+
+ for example tcpserver -c 200, and .cdb with:
+ :allow,MAXCONNC="15"
+ will allow at most 15 host from any x.y.z.0/24 address block, while
+ still allowing up to 200 total connections.
+ 0 is valid value and means 'always reject'
+
+(4) DIEMSG
+ + if set and one of the above limits is exceeded, this is the
message + to be sent to client (CRLF is always added to the text)
before terminating
+ connection. If unset, the connection simply terminates (after 1
sec delay) + if limit is exceeded.
+
+ For example:
+ DIEMSG="421 example.com Service temporarily not available,
closing + transmission channel"
+
+Notes: +
+- if a connection is dropped due to some of those variables set, it
will be
+ flagged (if you run tcpserver -v) with "LOAD:", "MAXCONNIP:" or
+ "MAXCONNC:" at the end of the "tcpserver: deny" line. If that
bothers you
+ (eg. you have a strict log parsers), don't apply that chunk of the
patch.
+
+- the idea for this patch came from my previous experience with
xinetd, and
+ need to limit incoming bursts of virus/spam SMTP connections,
since I was
+ running qmail-scanner to scan incoming and outgoing messages for
viruses
+ and spam.
+
+When you make changes, please check that they work as expected. +
+Examples (for tcprules created .cdb)
+(a) 192.168.:allow,MAXLOAD="1000"
+ :allow,MAXCONNIP="3"
+
+ this would allow any connection from your local LAN (192.168.*.*
+ addresses) if system load is less than 10.00. non-LAN
connections would
+ be accepted only if clients from that IP address have not
already opened
+ more than 2 connections (as your connection would be last
allowed -- 3rd)
+
+(b) 192.168.:allow
+ 5.6.7.8:allow,MAXCONNIP="3"
+ 1.2.:allow,MAXLOAD="500",MAXCONNIP="1",MAXCONNC="5"
+ :allow,MAXLOAD="1000",MAXCONNIP="3",DIEMSG="421 example.com
unavailable"
+
+ if client connects from 192.168.*.* (ex: your LAN), it is allowed.
+ if it connects from 5.6.7.8 (ex: little abusive customer of yours),
+ it is allowed unless there are already 3active connections from
5.6.7.8
+ to this service
+ if it connects from 1.2.*.* (ex: some problematic networks which
caused
+ you grief in the past) it will connect only if load is less
than 5.0,
+ there is less than 5 active connections from whole C class
+ (1.2.*.0/24), and if that specific IP address does not already
have
+ connection open.
+ in all other cases, the client will be permitted to connect if
load is
+ less than 10.00 and client has 2 or less connections open. If
load is
+ higher than 10.00 or there are 3 or more connections open from
this
+ client, the message "421 example.com unavailable" will be
returned to + the client and connection terminated.
--------- cut here -----------
_P
Jean-Paul van de Plasse wrote:
Thank you too, I just feel it is good to do something back..
I applied the patch and did not find any problems.
Have not tested the new functionality, since I do not really need it.
But the rpm can be downloaded at
http://iserve01.i-serve.net/ucspi-tcp-toaster-0.88-1.3.4.src.rpm
For more info see http://linux.voyager.hr/ucspi-tcp/
Maybe it can be placed on the devel site any time soon.
JP
----- Original Message ----- From: "Eric "Shubes"" <[EMAIL PROTECTED]>
To: <qmailtoaster-list@qmailtoaster.com>
Sent: Wednesday, January 24, 2007 5:03 PM
Subject: Re: [qmailtoaster] tcpserver limit patch
Thanks JP, for everything you do.
Jean-Paul van de Plasse wrote:
You need ucspi-tcp-toaster-0.88-1.3.3.src.rpm from the devel site.
JP
----- Original Message ----- From: "Eric "Shubes"" <[EMAIL PROTECTED]>
To: <qmailtoaster-list@qmailtoaster.com>
Sent: Wednesday, January 24, 2007 4:40 PM
Subject: Re: [qmailtoaster] tcpserver limit patch
Thanks, JP.
BTW, do you know which qmail-toaster version I need for the rbl
timeout patch?
Jean-Paul van de Plasse wrote:
Hi,
Was a bit busy will do this today.
JP
----- Original Message ----- From: "Philip" <[EMAIL PROTECTED]>
To: <qmailtoaster-list@qmailtoaster.com>
Sent: Wednesday, January 24, 2007 12:12 PM
Subject: [qmailtoaster] tcpserver limit patch
Hello
Any news on implementing the tcp server limit patch ?
or is JP testing it ?
-P
--
-Eric 'shubes'
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]