Re: Firewall rules that discriminate by connection duration
From: Pawel Malachowski (pawmal-posting_at_freebsd.lublin.pl)
Date: Thu, 11 Nov 2004 13:19:11 +0100 To: Brett Glass <email@example.com>
On Tue, Nov 09, 2004 at 08:10:30PM -0700, Brett Glass wrote:
> I'm interested in crafting firewall rules that throttle connections
> that have lasted more than a certain amount of time. (Most such
> connections are P2P traffic, which should be given a lower priority
> than other connections and may constitute network abuse.) Alas, it
> doesn't appear that FreeBSD's IPFW can keep tabs on how long a
> connection has been established. Is there another firewall for
> FreeBSD that can?
Problem with P2P is not that connections take long time, but that there
are plenty of them.
You may consider using patch I posted on freebsd-ipfw@ few days ago to
lower weight of flows using dummynet, if number of connections is greater
than N per host, for example.
-- Paweł Małachowski _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "email@example.com"