Jozsef Kadlecsik wrote:
No, you are correct.
Hmmm, okay. I must say I'm a little surprised by that. I've seen plenty of people using connlimit and connbytes (for example) to protect against all kinds of things, and I don't think it's widely known that it's trivial for an attacker to bypass those restrictions.
Anyway, though:
If you want to eliminate the possibility to bypass connlimit with properly crafted RST segments, probably you should use the recent match and count the created NEW connections.
My goal with connlimit is to limit simultaneous connections so that it prevents a single client from using up all the Apache process slots.
However, I don't want to limit how many connections they can open in a period of time.
For example, it's perfectly fine for someone to open, say, 500 connections per minute, as long as they don't open more than 40 at a time. But I do need to block the 41st simultaneous connection even from people who open up connections very slowly, such as someone who opens up just five connections per hour and never closes them.
Is that something the "recent" feature can help with? I'm not seeing how that's possible, but perhaps I'm missing something.
Thanks again for the help! -- Robert L Mathews, Tiger Technologies http://www.tigertech.net/ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html