httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nerius Landys <>
Subject Re: [users@httpd] Re: Preventing DoS attacks from single client host
Date Tue, 06 Apr 2010 17:26:40 GMT
> You using iptables?  What rules did you end up using to accomplish this?

Using OpenBSD's Packet Filter.  It's not perfect; I have to set the
connection limit quite high (at 36) because the connection state stays
in the firewall for about a minute even during the FIN_WAIT_2 stage.
Here are my rules from pf.conf:

set optimization aggressive
ext_if = "em0"
# This will allow Slowloris attack from localhost, but that's OK.
pass in on $ext_if proto tcp from any to any port = http flags S/SA \
  synproxy state (source-track rule, max-src-conn 36, if-bound)

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message