On Fri, Oct 01, 1999 at 11:09:10AM -0700, Johannes Erdfelt wrote:
> Both work for me fine. I dunno what people's big gripes against inetd
> are. It works damn well for almost every service that doesn't have high
> loads. In 99% of people's cases who use mail, then won't get more than
> 40 hits a second, and if they do, increase it. I run it with a 10000 hit
> maximum on a relatively busy mail server (close to 100,000 incoming messages
> a day)
And what happens when somebody tries to actively attack your system?
With these limits, I expect that a remote user could make your system
run out of FDs in a few minutes, not to mention memory. With a limit of
10000, I could probably open up a thousand or so connections a minute
without triggering any of inetd's limits, and leave them open.
inetd protects against one thing: rapid attacks. It does not offer any
protection against total amount of resources used (in the form of number
of connections). I have never run into a situation where rate
protection is needed, and have only rarely heard of such situations.
However, resource starvation is common.
> The only thing it can't do is set environment variables based on
> source IP address (like tcpserver), but I don't allow relaying through
> that machine anyway so I don't need it.
--
Bruce Guenter, QCC Communications Corp. EMail: [EMAIL PROTECTED]
Phone: (306)249-0220 WWW: http://www.qcc.sk.ca/~bguenter/
