06-23-2014
Got it... But unless I'm missing something, once an IP is on your firewall's block list any packets received will be ignored. So the only "SYN_SENT" connections will be the ones setup before the firewall rule was added. Are those sticking around long enough to cause a problem? Since it's a fixed number can't you just leave them to timeout on their own?
Maybe there are PF rules (I'm not familiar with that package) that would implement the maximum connection per-IP logic you want. Meaning, can you add broad rule that won't allow any untrusted IP to have more than 70 connections at once?
Then you wouldn't need to kill the ones that do manage to get through before the firewall kicks in.
Also, does PF have a way to show the current list of blocked IP's? If so then you do need to kill processes that managed to get setup, you could run that PF command to generate a list of bad IP's, then use something like "lsof" to find all the open sockets connected to that IP then kill those processes. I think it might be simpler than figuring out which IP's to target by counting the number of connections each one has.
5 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
Hi guys
I have a shell script that executes sql statemets and sends the output to a file.the script takes in parameters executes sql and sends the result to an output file.
#!/bin/sh
echo " $2 $3 $4 $5 $6 $7
isql -w400 -U$2 -S$5 -P$3 << xxx
use $4
go
print"**Changes to the table... (0 Replies)
Discussion started by: magikminox
0 Replies
2. Shell Programming and Scripting
I am using blow script :--
#!/bin/bash
FIND=$(ps -elf | grep "snmp_trap.sh" | grep -v grep) #check snmp_trap.sh is running or not
if
then
# echo "process found"
exit 0;
else
echo "process not found"
exec /home/Ketan_r /snmp_trap.sh 2>&1 & disown -h ... (1 Reply)
Discussion started by: ketanraut
1 Replies
3. UNIX for Dummies Questions & Answers
I am trying to call a script(callingscript.sh) from a master script(masterscript.sh) to get string type value from calling script to master script. I have used scripts mentioned below.
#masterscript.sh
./callingscript.sh
echo $fileExist
#callingscript.sh
echo "The script is called"... (2 Replies)
Discussion started by: Raj Roy
2 Replies
4. Shell Programming and Scripting
Hello all,
I am facing a weird issue while executing a code below -
#!/bin/bash
cd /wload/baot/home/baotasa0/sandboxes_finance/ext_ukba_bde/pset
sh UKBA_publish.sh UKBA 28082015 3
if
then
echo "Param file conversion for all the areas are completed, please check in your home directory"... (2 Replies)
Discussion started by: ektubbe
2 Replies
5. Shell Programming and Scripting
I'm new to utilities like socat and netcat and I'm not clear if they will do what I need.
I have a "compileDeployStartWebServer.sh" script and a "StartBrowser.sh" script that are started by emacs/elisp at the same time in two different processes.
I'm using Cygwin bash on Windows 10.
My... (3 Replies)
Discussion started by: siegfried
3 Replies
kill(1) General Commands Manual kill(1)
Name
kill - send a signal to a process
Syntax
kill [-sig] processid...
kill -l
Description
The command sends the TERM (terminate, 15) signal to the specified processes. If a signal name or number preceded by `-' is given as first
argument, that signal is sent instead of terminate. For further information, see
The terminate signal kills processes that do not catch the signal; `kill -9 ...' is a sure kill, as the KILL (9) signal cannot be caught.
By convention, if process number 0 is specified, all members in the process group (that is, processes resulting from the current login) are
signaled. This works only if you use and not if you use To kill a process it must either belong to you or you must be superuser.
The process number of an asynchronous process started with `&' is reported by the shell. Process numbers can also be found by using It
allows job specifiers ``%...'' so process ID's are not as often used as arguments. See for details.
Options
-l Lists signal names. The signal names are listed by `kill -l', and are as given in /usr/include/signal.h, stripped of the common SIG
prefix.
See Also
csh(1), ps(1), kill(2), sigvec(2)
kill(1)