Re: max # of connections per IP ?

Quoting Alessandro de Manzano (ale@unixmania.net):
> I'ld ask you all some hints about a policy rule I have to implement in
> my firewall.
>
> I'm currently using IPF 3.4.29 on a FreeBSD 4.8 box and now I've been
> told to limit number of connections for a single source IP.

Hmmm, ipf, afaik, doesn't do this.

Why? Because there is no good technical reason for it, really.

You've got a request coming from ISO layer 8 (the political layer)
to do something at layer 4.

In this situation, I might try to divine what the problem or threat
is that they believe this will address.

Note also that I can run mozilla and perhaps go to a bookmark that
opens 5 tabs and each tab opens 8 HTTP connections and that one
"go to bookmark" creates 40 TCP connections.

Is this wrong? no, it's well within the spec's of HTTP and TCP/IP.
Is this bad? Not really.


Could this cause problems? Sure, I could run out of TCP connections
on the firewall, but that's better handled by (1) a web proxy and
(2) tuning of the client.

If BANDWIDTH is a problem that too is best handled elsewhere.

This smells to me of a semi-technical person perceiving a solution
to a problem and mandating that when correct and implementable
solutions exist.