I'm looking for a way to limit connections to a Solaris 10 box from any single IP.
The problem is that I've had more experience doing this with IPTables on Linux, rather than with IPFilter, which I've found to be somewhat feature-poor.
I hope there is some way to do this using IPFilter, I've seen that the DCA feature on HP-UX IPFilter does something similar, but have not been able to find anything for Solaris.
Any ideas anyone?
Can you clarify more?
I would go for a little Linux box in between with iptables to do job of a robust Firewall rather than enabling Firewall on Solaris as that might blow up other things. 
Ok, so this is a Solaris box running Squid, and it is being hogged by one client IP which opens many connections with the normal SYN, SYN/ACK, ACK handshake but then does not request any further data. When the Solaris box tries to close the connection with a FIN, the client ACKs the FIN but does not send a FIN of it's own, and the connection gets stuck in FIN_WAIT1 state.
This will use up all available TCP connections to this Solaris box, so we need to limit the number of concurrent connections from a single client IP to get around this. It's not a SYN flood DoS but the end result is still a DoS scenario.
Due to the architecture, adding an inline Linux box as a firewall is not an option, it was also the first thing I suggested, but it won't fly.
So, any other ideas?