> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Spam User > Sent: Wednesday, December 07, 2005 5:18 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: RE: stop accepting new connections on port 80 > > > > > I don't know exactly how you're determining the above: is it a long > > download that gets killed? HTTP opens at least (and usually > only) one > > connection per page so the problem may be that the connection is > > already closed even though the page is still being viewed. > Unless you > > are downloading something it's not likely your connection will last > > much longer than four or five seconds on a heavily > graphical page with > > broadband. > > > I had sort of thought about this, but then I thought thats > what the related and established rules took care of. > > I suppose it it would be more helpful if the end goal was > known.. to be more specific, I should have included that we > use PHP sessions and what I'd like to do is keep the session > open until all the currently open PHP sessions are closed > (serve active session, don't accept new connections). > > I was hoping that the connection tracking would be associated > to the sessions (not by session id or anything, but by the > relationship of the established connections from the caller), > so if user a looked at page X then 10 seconds later looked at > page y, netfilter would know because that client had had > established connections - I suppose I can see the flaws in > that logic though. I thought that the callers connection > info being in a time_wait state would possibly mean something > to iptables. Not knowing exactly how conntrack determines when a connection is closing, I don't think I can help with explaining that. However each page load is a different TCP connection (and the client may use a different source port) so it would make sense to me that conntrack would process it that way. > I know this isnt an apache/php list, but maybe thats where I > should be headed? Something like sending apache a usr1 > signal, but instead of accepting new connections with the new > config, just don't accept new connections until the daemon is > restarted. > > In any case, thanks for your speedy response. > If you can get your hands on the PHP, I'd start there. You could (a) have PHP check for the existence of some flag file (say, /var/.STOP_SESSIONs) and deny new sessions or (b) do that in the database to cut down on I/O if you've got a busy server. I don't know enough about the inner workings of Apache to suggest a solution with that. Derick Anderson
