Re: Firewall rules that discriminate by connection duration

• Previous message: Julian Elischer: "Re: Is there any way to know if userland is patched?"
• In reply to: Peter Jeremy: "Re: Firewall rules that discriminate by connection duration"
• Next in thread: D .: "Re: Firewall rules that discriminate by connection duration"
• Reply: D .: "Re: Firewall rules that discriminate by connection duration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 10 Nov 2004 11:16:45 -0800
To: Peter Jeremy <PeterJeremy@optushome.com.au>, Vlad GALU <vladgalu@gmail.com>

--On Thursday, November 11, 2004 05:36:06 +1100 Peter Jeremy <PeterJeremy@optushome.com.au> wrote:

> On Wed, 2004-Nov-10 13:23:21 +0200, Vlad GALU wrote:
>> On Tue, 9 Nov 2004 20:10:30 -0700 (MST), Brett Glass <brett@lariat.org> wrote:
>>> I'm interested in crafting firewall rules that throttle connections
>>> that have lasted more than a certain amount of time. (Most such
>>> connections are P2P traffic, which should be given a lower priority
>>> than other connections and may constitute network abuse.) Alas, it
>>> doesn't appear that FreeBSD's IPFW can keep tabs on how long a
>>> connection has been established. Is there another firewall for
>>> FreeBSD that can?
>>
>> All firewalls in FreeBSD can, actually. It's part of the stateful
>> inspection feature. The only thing they lack is a match parameter
>> based on the timer.
>
> That's a bit of a stretch. Stateful inspection associates a single
> timeout with each connection. The timeout is reset when a valid
> packet is seen on that connection and the connection blocked if the
> timeout expires.
>
> Brett needs a timeout that is initialised when the connection is setup
> and not reset. When it expires, you need to perform some different
> action rather than just block the connection. You might be able to
> reuse some of the existing stateful inspection code but I don't
> believe it's a trivial change.

How about ipfw and dummynet? Maybe set up pipes for p2p traffic?

• application/pgp-signature attachment: stored

• Previous message: Julian Elischer: "Re: Is there any way to know if userland is patched?"
• In reply to: Peter Jeremy: "Re: Firewall rules that discriminate by connection duration"
• Next in thread: D .: "Re: Firewall rules that discriminate by connection duration"
• Reply: D .: "Re: Firewall rules that discriminate by connection duration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: stateful inspection ... > This question will make sense only for readers familiar with "stateful ... > about what reality is behind Netgear's "stateful inspection"? ... The RO318 uses a relatively simple ZyNOS stateful firewall implementation ... While Keith is partially right about keeping connection state, ... (comp.security.firewalls) Re: Kerio PFW 2.14 - Safe? ... If Kerio 2.14/5 states it's stateful, ... inspection is a type of inspection... ... the rules set the firewall applies. ... (comp.security.firewalls) Re: [fw-wiz] Evolution of Firewalls ... proxy does analysis and reconstructs data ... and stateful ispection system can only decide ... stateful inspection system to miss thing that is not known to it or to ... The proxy output stream, not only general ... (Firewall-Wizards) Re: [fw-wiz] What is the difference between stateful packet filtering and Stateful pkt inspection ? ... > 1) What is the difference between a stateful pkt filter and stateful ... > i.e. application level Proxies!)? ... And I guess some inspection for HTTP - but ... "fixup") when filtering. ... (Firewall-Wizards) Re: [fw-wiz] Evolution of Firewalls ... Stateful inspection, deep packet inspection, application protection, ... headers and application data streams for attacks and blocking them. ... Our team is currently debating if Stateful Deep Inspection firewall ... (Firewall-Wizards)