Re: Firewall rules that discriminate by connection duration
From: Pawel Malachowski (pawmal-posting_at_freebsd.lublin.pl)
Date: 11/11/04
- Previous message: Peter C. Lai: "Re: Is there any way to know if userland is patched?"
- In reply to: Brett Glass: "Firewall rules that discriminate by connection duration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Nov 2004 13:19:11 +0100 To: Brett Glass <brett@lariat.org>
On Tue, Nov 09, 2004 at 08:10:30PM -0700, Brett Glass wrote:
> I'm interested in crafting firewall rules that throttle connections
> that have lasted more than a certain amount of time. (Most such
> connections are P2P traffic, which should be given a lower priority
> than other connections and may constitute network abuse.) Alas, it
> doesn't appear that FreeBSD's IPFW can keep tabs on how long a
> connection has been established. Is there another firewall for
> FreeBSD that can?
Problem with P2P is not that connections take long time, but that there
are plenty of them.
You may consider using patch I posted on freebsd-ipfw@ few days ago to
lower weight of flows using dummynet, if number of connections is greater
than N per host, for example.
-- Paweł Małachowski _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Peter C. Lai: "Re: Is there any way to know if userland is patched?"
- In reply to: Brett Glass: "Firewall rules that discriminate by connection duration"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
