Yep, synproxy in your answer for OpenBSD. For linux or freebsd, try enabling syn cookies.
On Dec 11, 2007 5:43 AM, knitti <[EMAIL PROTECTED]> wrote: > On 12/11/07, Raimo Niskanen <[EMAIL PROTECTED]> wrote: > > I want to know if and what I can do (on the server side) about HTTP > > clients that put sockets on my httpd server in state CLOSE_WAIT and > > thereby chew up all sockets for the server causing a kind of > > denial of service state. > > > > And yes, I have googled for "HPPT server socket CLOSE_WAIT" and > > did not get much wiser. > > If I understand correctly you could try synproxy states with pf and let these > states expire rapidly. If the states expire, I *think* pf should end the > connection completely, so your half-closed sockets don't get stale. > BUT perhaps I didn't get it at all and this makles no sense ;) > > --knitti > > -- Systems Programmer, Principal Electrical & Computer Engineering The University of Arizona [EMAIL PROTECTED]
