httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Albert <...@netrition.com>
Subject Re: [users@httpd] ESTABLISHED connections
Date Fri, 13 Mar 2015 23:36:21 GMT
On 3/13/2015 7:17 PM, el kalin wrote:
>
> if i have this in the
>
> <Directory "/server/doc/root">
>
>          Order allow,deny
>          Allow from all
>          deny from 111.10.250.188
> </Directory>
>
> how come this:
>
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.21806
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.21805
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23202
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23188
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22544
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22490
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23364
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23365
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22825
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22751
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22561
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22340
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22339
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23151
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23159
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22698
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22512
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22457
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22416
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22403
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23377
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23376
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23105
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23108
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22803
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22135
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.dcap
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.21924
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.21923
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23329
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23319
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22546
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22545
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.22139
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.21694
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.21658
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23075
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23074
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23026
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.23025
> ESTABLISHED
> tcp        0      0  ip-10-102-190-93.http  111.10.250.188.inovapo
> ESTABLISHED
>
>
> this is growing with every netstat i do.  any ideas???
>
> thanks…

I believe your Order allow, deny is correct.
You are controlling what can be served by Apache, but not the actual 
network connection to your Apache server, hence the continued entries in 
your connection table. I would assume your Apache error log is spewing 
lots of access denied or such errors indicating your deny is working.

If you really want to keep a given an IP address completely out of 
Apache, block it in iptables or better yet the firewall behind which 
your Apache server sits, but iptables will do it.

-- 
Jim Albert


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message