alex at digriz.org.uk
Fri Apr 15 20:56:13 CEST 2011
Josip Almasi <joe at vrspace.org> wrote:
> there is a scenario that might require "no_response_fail = yes".
> First, network breaks; power outage, spanking trees, something other
> but massive. Then clients start comming online, put some heavy load on
> backend server. Retry, retry, and - clients DoS backend. In that case
> I might want to send Access-Reject, to get some breathing space.
Easier and probably much more apprioate to use the OS's firewall to send
backsome ICMP related grumbling (TCP RST if you happen to be using TCP)
to pretend the port is closed/unavailable. ICMP in response to a UDP
packet can get passed back to the application layer, rather than
assuming a retry is required.
Of course it depends on the OS's firewall, but in the case of iptables
you can start doing rather cunning things like hashbuckets, recent and
.sigmonster says: Phone call for chucky-pooh.
More information about the Freeradius-Devel