Re: Firewall rules that discriminate by connection duration

• Previous message: Xin LI: "Re: Is there any way to know if userland is patched?"
• In reply to: Vlad GALU: "Re: Firewall rules that discriminate by connection duration"
• Next in thread: John Webster: "Re: Firewall rules that discriminate by connection duration"
• Reply: John Webster: "Re: Firewall rules that discriminate by connection duration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 11 Nov 2004 05:36:06 +1100
To: Vlad GALU <vladgalu@gmail.com>

On Wed, 2004-Nov-10 13:23:21 +0200, Vlad GALU wrote:
>On Tue, 9 Nov 2004 20:10:30 -0700 (MST), Brett Glass <brett@lariat.org> wrote:
>> I'm interested in crafting firewall rules that throttle connections
>> that have lasted more than a certain amount of time. (Most such
>> connections are P2P traffic, which should be given a lower priority
>> than other connections and may constitute network abuse.) Alas, it
>> doesn't appear that FreeBSD's IPFW can keep tabs on how long a
>> connection has been established. Is there another firewall for
>> FreeBSD that can?
>
> All firewalls in FreeBSD can, actually. It's part of the stateful
>inspection feature. The only thing they lack is a match parameter
>based on the timer.

That's a bit of a stretch. Stateful inspection associates a single
timeout with each connection. The timeout is reset when a valid
packet is seen on that connection and the connection blocked if the
timeout expires.

Brett needs a timeout that is initialised when the connection is setup
and not reset. When it expires, you need to perform some different
action rather than just block the connection. You might be able to
reuse some of the existing stateful inspection code but I don't
believe it's a trivial change.

-- 
Peter Jeremy
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Xin LI: "Re: Is there any way to know if userland is patched?"
• In reply to: Vlad GALU: "Re: Firewall rules that discriminate by connection duration"
• Next in thread: John Webster: "Re: Firewall rules that discriminate by connection duration"
• Reply: John Webster: "Re: Firewall rules that discriminate by connection duration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: I am having connectivity problems ... firewall and turned ON Windows firewall. ... When I tried to install SP2 I was unable to get it thru Windows Update. ... does the connection problem persist? ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: Serious Security Issue in Windows XP SP2s Firewall ... Subject: AW: Serious Security Issue in Windows XP SP2's Firewall ... If you update a WinXP SP-1 with enabled Internet ... Connection Firewall ... (Focus-Microsoft) RE: Serious Security Issue in Windows XP SP2s Firewall ... file and printer sharing is available for network login from any network (I ... Internet Connection Sharing of the PC has to be disabled." ... Serious Security Issue in Windows XP SP2's Firewall ... (Focus-Microsoft) Re: Still cant connect to RWW or OWA remotely ... No, I don't have a 3rd party firewall, and it's a pretty plain vanilla WinXP ... Connected to the network like the other workstations, ... I could go to any workstation and connect to them just fine. ... match the broadband connection, the two NIC firewall, the remote ... (microsoft.public.windows.server.sbs) Re: General connection timeout ... TCP connection timeout can be tunned using sysctl and the variable is ... > I have a problem where connecting to some machines on our ... > connected to has a firewall. ... (Fedora)