Re: Firewall rules that discriminate by connection duration

From: Pawel Malachowski (pawmal-posting_at_freebsd.lublin.pl)
Date: 11/11/04

  • Next message: Bruce M Simpson: "Re: Is there any way to know if userland is patched?"
    Date: Thu, 11 Nov 2004 13:19:11 +0100
    To: Brett Glass <brett@lariat.org>
    
    

    On Tue, Nov 09, 2004 at 08:10:30PM -0700, Brett Glass wrote:

    > I'm interested in crafting firewall rules that throttle connections
    > that have lasted more than a certain amount of time. (Most such
    > connections are P2P traffic, which should be given a lower priority
    > than other connections and may constitute network abuse.) Alas, it
    > doesn't appear that FreeBSD's IPFW can keep tabs on how long a
    > connection has been established. Is there another firewall for
    > FreeBSD that can?

    Problem with P2P is not that connections take long time, but that there
    are plenty of them.
    You may consider using patch I posted on freebsd-ipfw@ few days ago to
    lower weight of flows using dummynet, if number of connections is greater
    than N per host, for example.

    -- 
    Paweł Małachowski
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Bruce M Simpson: "Re: Is there any way to know if userland is patched?"