W dniu 29 listopada 2011 23:18 użytkownik Heiko Wundram
<modelnine@modelnine.org> napisał:
> Okay, that's too bad that there's no standard way for this. The underlying
> OS is Linux (Gentoo, to be exact), and I'd already thought about setting up
> some form of iptables firewalling, but there's no real framework for this
> (i.e., "count" the number of connected TCP-sockets that originate from a
> single client) in iptables, only for connection throttling from the same
> source (which won't cut it, as there are "spikes" in connection setup where
> many connections are created almost at once, meaning that hashlimit or
> recent and the likes are simply not suited to the task at hand. I just
> need/want to give a "hard" upper limit on the number of simultaneous
> connections from a single client as an Anti-DoS-measure - the clients aren't
> hostile, but their programming is broken...).
>
did you look at connlimit?
http://www.netfilter.org/projects/patch-o-matic/pom-external.html#pom-external-connlimit
AFAIK, it applies only to ESTABLISHED state, so maybe it suits you.
I'm not sure how do you want to allow "many connections being created
almost at once" and "limit number of connections from same IP" at the
same time?
anyway, we are going offtopic here...
regards
Filip
