On 3/29/11 12:56 AM, N dhert wrote:> I have shorewall-4.4.17.
> Recently I had some machine on the internet trying to fetch a large file
> (500 Mb) from our website and starting a hughe numbers of connections to
> our webserver (almost a 100), which made the load of the machine very
> high and almost brought it down ..
> I read http://shorewall.net/Actions.html "Limiting Per-IP Connection
> Rate using the Limit Action"
> a line
> Limit:info:HTTPA,10,600 net serv tcp 80
> would limit any IP to maximum 10 httpd connections to my webserver
> during 10 minutes.
> Does this mean he can open an 11th, 12th ... to 20th connection after a
> 10 minutes wait after the 10th connection started and so on?
> This way, although slower, still a large number of connections could be
> started.
>
> Limit:info:HTTPA,10,86400 ...
> would be max 10 in 1 day (24 hours), is such a large number of seconds
> acceptable in shorewall?
>
> Or what would be the best way to limit the number of HTTP connections by
> a single IP address at any time?
There really is none.
Limit is deprecated in favor of per-IP limiting in the RATE LIMIT column
of the rules file. And there is no mechanism in Shorewall to limit the
total number of connections.
Sorry
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar