Hanno Hecker wrote:
On Mon, 27 Nov 2006 08:43:43 -0700
Bryan Scott <[EMAIL PROTECTED]> wrote:
The first thought I had was if we could make the forkserver code
perform similarly. It wouldn't be able to block just based on the
SYN packets, but it could immediately close the connection (no
banner, no error message, very un-RFC like), freeing it up for
another host that much quicker. Not something a plugin can do.
That's what the hosts_allow plugin does. After accept()ing the incoming
connection, the pre-connection hook is run (while still in the main
server, before fork()ing). The hosts_allow plugin searches in it's
config file for the IP of the incoming connection and returns
DENY (or one of it's variants) or DECLINED. If a connection is denied
(soft or hard) the connection ends and no forking is done.
Ok. My fault for not knowing about the pre-connection hook.
I tweaked dnsbl to run at pre-connection time and it's working great. I only
use it on the "extremely trusted" blacklists, and have set up a dnsbl-soft and
a dnsbl-tagonly that handle the less perfect blacklists.
Yay! Thanks all for your help, and pardon me for any perceived ignorance.
-- Bryan
