proxy.conf: no_response_fail

Alexander Clouter alex at digriz.org.uk
Fri Apr 15 20:56:13 CEST 2011


Josip Almasi <joe at vrspace.org> wrote:
> 
> there is a scenario that might require "no_response_fail = yes".
> 
> First, network breaks; power outage, spanking trees, something other 
> but massive. Then clients start comming online, put some heavy load on 
> backend server. Retry, retry, and - clients DoS backend. In that case 
> I might want to send Access-Reject, to get some breathing space.
>
Easier and probably much more apprioate to use the OS's firewall to send 
backsome ICMP related grumbling (TCP RST if you happen to be using TCP) 
to pretend the port is closed/unavailable.  ICMP in response to a UDP 
packet can get passed back to the application layer, rather than 
assuming a retry is required.
 
Of course it depends on the OS's firewall, but in the case of iptables 
you can start doing rather cunning things like hashbuckets, recent and 
what not.

Cheers

-- 
Alexander Clouter
.sigmonster says: Phone call for chucky-pooh.




More information about the Freeradius-Devel mailing list