> > You using iptables? What rules did you end up using to accomplish this? > Using OpenBSD's Packet Filter. It's not perfect; I have to set the connection limit quite high (at 36) because the connection state stays in the firewall for about a minute even during the FIN_WAIT_2 stage. Here are my rules from pf.conf: set optimization aggressive ext_if = "em0" # This will allow Slowloris attack from localhost, but that's OK. pass in on $ext_if proto tcp from any to any port = http flags S/SA \ synproxy state (source-track rule, max-src-conn 36, if-bound) --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|