TCP Server limits configuration

From QmailToaster
Jump to navigation Jump to search

http://iserve01.i-serve.net/ucspi-tcp-toaster-0.88-1.3.4.src.rpm

The variables are:

(1) MAXLOAD

   maximum 1-minute load average * 100. For example, if you have line
   :allow,MAXLOAD="350" 
   in your rules file from which you created .cdb, the connection will be
   accepted only if load average is below 3.50


(2) MAXCONNIP

   maximum connections from one IP address. tcpserver's -c flag defines
   maximum number of allowed connections, but it can be abused if
   just one host goes wild and eats all the connections - no other host
   would be able to connect then. If you created your .cdb with:
   :allow,MAXCONNIP="5"
   and run tcpserver -c 50, then each IP address would be able to have at 
   most 5 concurrent connections, while there still could connect 50
   clients total.
   0 is valid value and means 'always reject'

(3) MAXCONNC

   maximum connections from whole C-class (256 addresses). Extension of
   MAXCONNIP, as sometimes the problematic client has a whole farm of
   client machines with different IP addresses instead of just one IP
   address, and they all try to connect. It might have been more useful to
   be able to specify CIDR block than C-class, but I've decided to KISS.
   for example tcpserver -c 200, and .cdb with:
   :allow,MAXCONNC="15"
   will allow at most 15 host from any x.y.z.0/24 address block, while
   still allowing up to 200 total connections.
   0 is valid value and means 'always reject'

(4) DIEMSG

   if set and one of the above limits is exceeded, this is the message 
   to be sent to client (CRLF is always added to the text) before terminating
   connection. If unset, the connection simply terminates (after 1 sec delay) 
   if limit is exceeded.
   For example:
   DIEMSG="421 example.com Service temporarily not available, closing 
   transmission channel"

Notes:

- if a connection is dropped due to some of those variables set, it will be

 flagged (if you run tcpserver -v) with "LOAD:", "MAXCONNIP:" or
 "MAXCONNC:" at the end of the "tcpserver: deny" line. If that bothers you
 (eg. you have a strict log parsers), don't apply that chunk of the patch.


When you make changes, please check that they work as expected.

Examples (for tcprules created .cdb) (a) 192.168.:allow,MAXLOAD="1000"

   :allow,MAXCONNIP="3"
   this would allow any connection from your local LAN (192.168.*.*
   addresses) if system load is less than 10.00. non-LAN connections would
   be accepted only if clients from that IP address have not already opened
   more than 2 connections (as your connection would be last allowed -- 3rd)

(b) 192.168.:allow

   5.6.7.8:allow,MAXCONNIP="3"
   1.2.:allow,MAXLOAD="500",MAXCONNIP="1",MAXCONNC="5"
   :allow,MAXLOAD="1000",MAXCONNIP="3",DIEMSG="421 example.com unavailable"
   if client connects from 192.168.*.* (ex: your LAN), it is allowed.
   if it connects from 5.6.7.8 (ex: little abusive customer of yours),
    it is allowed unless there are already 3active connections from 5.6.7.8
    to this service
   if it connects from 1.2.*.* (ex: some problematic networks which caused
    you grief in the past) it will connect only if load is less than 5.0,
    there is less than 5 active connections from whole C class
    (1.2.*.0/24), and if that specific IP address does not already have
    connection open.
   in all other cases, the client will be permitted to connect if load is
    less than 10.00 and client has 2 or less connections open. If load is
    higher than 10.00 or there are 3 or more connections open from this
    client, the message "421 example.com unavailable" will be returned to 
    the client and connection terminated.