Hey Frank, you responded to my question along these lines a couple of weeks ago, small world :-)
We're actually both right, because my original answer was incomplete: You _can_ have a rule per /15, and connection limit each rule. Currently you only have 1000 queues however :-( You're right because his real requirement (and mine!) would be solved much better if resource allocation (connection & bandwidth) could be defined with DDoS in mind. e.g.: "If the state table has >100 connections from anyhost/24:any to mysrv/32:80 do not allow any more that match this criteria." I guess this could be done by having a (smarter) userland configurable state management engine - performance impact of such resource protection I'd guess would be harsh, compared to normal lightning packet throughput, but I for one am convinced such protection is worth the higher memory/CPU drain. I think I'll start some kernel hacking when I'm done re-engineering devitto.com mail. PS. I don't believe that anything else can do this kind of thing either (maybe packeteer?) - in particular being able to cut the whole internet into class-Cs and fairly share the connections/bandwidth available. Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Tel. 07855 805 271 http://www.devitto.com mailto:[EMAIL PROTECTED] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
