From owner-freebsd-security@FreeBSD.ORG Wed Nov 10 18:53:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6C5A16A4CE for ; Wed, 10 Nov 2004 18:53:00 +0000 (GMT) Received: from mail17.syd.optusnet.com.au (mail17.syd.optusnet.com.au [211.29.132.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2E5B43D58 for ; Wed, 10 Nov 2004 18:52:59 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) iAAIqvfc011285 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 11 Nov 2004 05:52:58 +1100 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])iAAIqvxP024032; Thu, 11 Nov 2004 05:52:57 +1100 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost)iAAIa6dm024006; Thu, 11 Nov 2004 05:36:06 +1100 (EST) (envelope-from pjeremy) Date: Thu, 11 Nov 2004 05:36:06 +1100 From: Peter Jeremy To: Vlad GALU Message-ID: <20041110183606.GN79646@cirb503493.alcatel.com.au> References: <200411100310.UAA12654@lariat.org> <79722fad041110032364055ae7@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <79722fad041110032364055ae7@mail.gmail.com> User-Agent: Mutt/1.4.2i cc: freebsd-security@freebsd.org Subject: Re: Firewall rules that discriminate by connection duration X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Nov 2004 18:53:00 -0000 On Wed, 2004-Nov-10 13:23:21 +0200, Vlad GALU wrote: >On Tue, 9 Nov 2004 20:10:30 -0700 (MST), Brett Glass wrote: >> I'm interested in crafting firewall rules that throttle connections >> that have lasted more than a certain amount of time. (Most such >> connections are P2P traffic, which should be given a lower priority >> than other connections and may constitute network abuse.) Alas, it >> doesn't appear that FreeBSD's IPFW can keep tabs on how long a >> connection has been established. Is there another firewall for >> FreeBSD that can? > > All firewalls in FreeBSD can, actually. It's part of the stateful >inspection feature. The only thing they lack is a match parameter >based on the timer. That's a bit of a stretch. Stateful inspection associates a single timeout with each connection. The timeout is reset when a valid packet is seen on that connection and the connection blocked if the timeout expires. Brett needs a timeout that is initialised when the connection is setup and not reset. When it expires, you need to perform some different action rather than just block the connection. You might be able to reuse some of the existing stateful inspection code but I don't believe it's a trivial change. -- Peter Jeremy