TCP Server limits configuration
From Qmailtoaster
http://iserve01.i-serve.net/ucspi-tcp-toaster-0.88-1.3.4.src.rpm
The variables are:
(1) MAXLOAD
maximum 1-minute load average * 100. For example, if you have line :allow,MAXLOAD="350" in your rules file from which you created .cdb, the connection will be accepted only if load average is below 3.50
(2) MAXCONNIP
maximum connections from one IP address. tcpserver's -c flag defines maximum number of allowed connections, but it can be abused if just one host goes wild and eats all the connections - no other host would be able to connect then. If you created your .cdb with: :allow,MAXCONNIP="5" and run tcpserver -c 50, then each IP address would be able to have at most 5 concurrent connections, while there still could connect 50 clients total. 0 is valid value and means 'always reject'
(3) MAXCONNC
maximum connections from whole C-class (256 addresses). Extension of MAXCONNIP, as sometimes the problematic client has a whole farm of client machines with different IP addresses instead of just one IP address, and they all try to connect. It might have been more useful to be able to specify CIDR block than C-class, but I've decided to KISS.
for example tcpserver -c 200, and .cdb with: :allow,MAXCONNC="15" will allow at most 15 host from any x.y.z.0/24 address block, while still allowing up to 200 total connections. 0 is valid value and means 'always reject'
(4) DIEMSG
if set and one of the above limits is exceeded, this is the message to be sent to client (CRLF is always added to the text) before terminating connection. If unset, the connection simply terminates (after 1 sec delay) if limit is exceeded.
For example: DIEMSG="421 example.com Service temporarily not available, closing transmission channel"
Notes:
- if a connection is dropped due to some of those variables set, it will be
flagged (if you run tcpserver -v) with "LOAD:", "MAXCONNIP:" or "MAXCONNC:" at the end of the "tcpserver: deny" line. If that bothers you (eg. you have a strict log parsers), don't apply that chunk of the patch.
When you make changes, please check that they work as expected.
Examples (for tcprules created .cdb) (a) 192.168.:allow,MAXLOAD="1000"
:allow,MAXCONNIP="3"
this would allow any connection from your local LAN (192.168.*.* addresses) if system load is less than 10.00. non-LAN connections would be accepted only if clients from that IP address have not already opened more than 2 connections (as your connection would be last allowed -- 3rd)
(b) 192.168.:allow
5.6.7.8:allow,MAXCONNIP="3" 1.2.:allow,MAXLOAD="500",MAXCONNIP="1",MAXCONNC="5" :allow,MAXLOAD="1000",MAXCONNIP="3",DIEMSG="421 example.com unavailable"
if client connects from 192.168.*.* (ex: your LAN), it is allowed. if it connects from 5.6.7.8 (ex: little abusive customer of yours), it is allowed unless there are already 3active connections from 5.6.7.8 to this service if it connects from 1.2.*.* (ex: some problematic networks which caused you grief in the past) it will connect only if load is less than 5.0, there is less than 5 active connections from whole C class (1.2.*.0/24), and if that specific IP address does not already have connection open. in all other cases, the client will be permitted to connect if load is less than 10.00 and client has 2 or less connections open. If load is higher than 10.00 or there are 3 or more connections open from this client, the message "421 example.com unavailable" will be returned to the client and connection terminated.