On Mon 30 Jul 2007, Stefan Winter wrote: > Hi, > > > It is an issue that has been discussed previously and FreeRADIUS is > > unlikely to ever do an SQL SELECT of the nas table for every inbound > > packet. What may be possible is to reload the nas list at certain > > intervals (from cron is the easiest) but until/unless HUP handling is > > improved that is problematic for deployments that need to keep session > > state (ie. EAP users). If you dont use EAP, then there is no problem > > doing a full restart on a regular basis.. > > regular checks still would be a waste of resources most of the time (how > often do you add a NAS?). How about: > > - doing the SQL query when it encounters a request from a new, unknown IP > address, > - RATE-LIMITED to once per minute or so. > > That would make re-reading event-driven, and not make the server be DoS'ed > when a wave of fake requests comes in. > Not sure how difficult to implement this though...
Yes. I think this would be a reasonable option, which should default to off. This should of course be rate limitted to one re-read per minute for the whole server, not per source IP as spoofing UDP packets it obviously not terribly difficult.. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
