拒绝来自主机的连接 [英] Refusing connection from a host
问题描述
我正在使用套接字编写一个简单的tcp服务器应用程序.据我所知,我可以在调用accept()之后获取客户端的ip地址和端口.
I'm writing a simple tcp server application using sockets. As far as I know I can obtain the client's ip address and port after calling accept().
现在让我们假设我有一个黑名单,并且我想从我的服务器中禁止一些IP地址.有没有比接受连接然后断开连接更好的方法了?
Now lets assume I have a banlist and I want to ban some ip addresses from my server. Is there a better way than accepting the connection and then dropping it?
在接受连接之前,是否可以获取客户端的IP和端口?如果我们有accept(),为什么我们没有类似reject()的东西?有没有办法拒绝连接或只是忽略来自主机的连接尝试?
Is there a way to get the client's ip and port before accepting the connection? If we have accept() why don't we have something like refuse()? Is there a way to refuse the connection or simply ignore connection attempt from a host?
推荐答案
TCP实现通常在用户进程甚至可以访问连接之前完成TCP 3向握手,而accept()函数仅获得下一个连接不在队列中.因此,假装服务器已关闭为时已晚.对于常规TCP数据,其工作方式相同. TCP实现不会在发送TCP ACK之前等待应用程序实际recv()数据.这样可以避免另一端不必要地重发正确接收的数据包,并且即使应用程序因其他原因陷入困境也可以使吞吐量保持较高水平.对于新连接(SYN数据包),这还允许内核保护自己(和应用程序)免受SYN泛洪攻击.
The TCP implementation normally completes the TCP 3-way handshake before the user process even has access to the connection, and the accept() function merely gets the next connection off the queue. So it is too late to pretend that the server is down. This works the same way for regular TCP data; the TCP implementation does not wait for the application to actually recv() the data before a TCP ACK is sent. This keeps the other side from needlessly retransmitting packets that were received correctly, and allows the throughput to remain high, even when the application is bogged down with other things. In the case of new connections (SYN packets), this also allows the kernel to protect itself (and the application) from SYN flood attacks.
尽管不是便携式的,但许多平台都提供了某种防火墙功能,该功能将允许基于IP地址/端口过滤传入的连接.但是,这通常是在系统范围内配置的,而不是由单个应用程序配置的.
Although not portable, many platforms provide some sort of firewall capability that will allow filtering incoming connections based on IP address/port. However that is usually configured system-wide and not by an individual application.
这篇关于拒绝来自主机的连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
