http://wiki.qmailtoaster.org:80/index.php?action=history&feed=atom&title=TCP_Server_limits_configurationTCP Server limits configuration - Revision history2026-04-29T11:00:25ZRevision history for this page on the wikiMediaWiki 1.41.0http://wiki.qmailtoaster.org:80/index.php?title=TCP_Server_limits_configuration&diff=166&oldid=prevEbroch: Created page with "http://iserve01.i-serve.net/ucspi-tcp-toaster-0.88-1.3.4.src.rpm The variables are: (1) MAXLOAD maximum 1-minute load average * 100. For example, if you have line :allow,MAXLOAD="350" in your rules file from which you created .cdb, the connection will be accepted only if load average is below 3.50 (2) MAXCONNIP maximum connections from one IP address. tcpserver's -c flag defines maximum number of allowed connections, but it can be abused i..."2024-03-16T16:56:26Z<p>Created page with "http://iserve01.i-serve.net/ucspi-tcp-toaster-0.88-1.3.4.src.rpm The variables are: (1) MAXLOAD maximum 1-minute load average * 100. For example, if you have line :allow,MAXLOAD="350" in your rules file from which you created .cdb, the connection will be accepted only if load average is below 3.50 (2) MAXCONNIP maximum connections from one IP address. tcpserver's -c flag defines maximum number of allowed connections, but it can be abused i..."</p>
<p><b>New page</b></p><div>http://iserve01.i-serve.net/ucspi-tcp-toaster-0.88-1.3.4.src.rpm<br />
<br />
The variables are:<br />
<br />
(1) MAXLOAD <br />
maximum 1-minute load average * 100. For example, if you have line<br />
:allow,MAXLOAD="350" <br />
in your rules file from which you created .cdb, the connection will be<br />
accepted only if load average is below 3.50<br />
<br />
<br />
(2) MAXCONNIP<br />
maximum connections from one IP address. tcpserver's -c flag defines<br />
maximum number of allowed connections, but it can be abused if<br />
just one host goes wild and eats all the connections - no other host<br />
would be able to connect then. If you created your .cdb with:<br />
:allow,MAXCONNIP="5"<br />
and run tcpserver -c 50, then each IP address would be able to have at <br />
most 5 concurrent connections, while there still could connect 50<br />
clients total.<br />
0 is valid value and means 'always reject'<br />
<br />
(3) MAXCONNC<br />
<br />
maximum connections from whole C-class (256 addresses). Extension of<br />
MAXCONNIP, as sometimes the problematic client has a whole farm of<br />
client machines with different IP addresses instead of just one IP<br />
address, and they all try to connect. It might have been more useful to<br />
be able to specify CIDR block than C-class, but I've decided to KISS.<br />
<br />
for example tcpserver -c 200, and .cdb with:<br />
:allow,MAXCONNC="15"<br />
will allow at most 15 host from any x.y.z.0/24 address block, while<br />
still allowing up to 200 total connections.<br />
0 is valid value and means 'always reject'<br />
<br />
(4) DIEMSG<br />
<br />
if set and one of the above limits is exceeded, this is the message <br />
to be sent to client (CRLF is always added to the text) before terminating<br />
connection. If unset, the connection simply terminates (after 1 sec delay) <br />
if limit is exceeded.<br />
<br />
For example:<br />
DIEMSG="421 example.com Service temporarily not available, closing <br />
transmission channel"<br />
<br />
Notes: <br />
<br />
- if a connection is dropped due to some of those variables set, it will be<br />
flagged (if you run tcpserver -v) with "LOAD:", "MAXCONNIP:" or<br />
"MAXCONNC:" at the end of the "tcpserver: deny" line. If that bothers you<br />
(eg. you have a strict log parsers), don't apply that chunk of the patch.<br />
<br />
<br />
When you make changes, please check that they work as expected. <br />
<br />
Examples (for tcprules created .cdb)<br />
(a) 192.168.:allow,MAXLOAD="1000"<br />
:allow,MAXCONNIP="3"<br />
<br />
this would allow any connection from your local LAN (192.168.*.*<br />
addresses) if system load is less than 10.00. non-LAN connections would<br />
be accepted only if clients from that IP address have not already opened<br />
more than 2 connections (as your connection would be last allowed -- 3rd)<br />
<br />
(b) 192.168.:allow<br />
5.6.7.8:allow,MAXCONNIP="3"<br />
1.2.:allow,MAXLOAD="500",MAXCONNIP="1",MAXCONNC="5"<br />
:allow,MAXLOAD="1000",MAXCONNIP="3",DIEMSG="421 example.com unavailable"<br />
<br />
if client connects from 192.168.*.* (ex: your LAN), it is allowed.<br />
if it connects from 5.6.7.8 (ex: little abusive customer of yours),<br />
it is allowed unless there are already 3active connections from 5.6.7.8<br />
to this service<br />
if it connects from 1.2.*.* (ex: some problematic networks which caused<br />
you grief in the past) it will connect only if load is less than 5.0,<br />
there is less than 5 active connections from whole C class<br />
(1.2.*.0/24), and if that specific IP address does not already have<br />
connection open.<br />
in all other cases, the client will be permitted to connect if load is<br />
less than 10.00 and client has 2 or less connections open. If load is<br />
higher than 10.00 or there are 3 or more connections open from this<br />
client, the message "421 example.com unavailable" will be returned to <br />
the client and connection terminated.</div>Ebroch