Date: Sun, 4 Aug 2002 01:19:00 +0000 From: Philip Reynolds <philip.reynolds@rfc-networks.ie> To: freebsd-ipfw@freebsd.org Subject: Re: timeout Message-ID: <20020804011900.A1711@rfc-networks.ie> In-Reply-To: <NGBBKNDGKLKPMMNHJJLEIELBCAAA.eberkut@minithins.net>; from eberkut@minithins.net on Sat, Aug 03, 2002 at 05:06:12PM %2B0200 References: <NGBBKNDGKLKPMMNHJJLEIELBCAAA.eberkut@minithins.net>
next in thread | previous in thread | raw e-mail | index | archive | help
eberkut <eberkut@minithins.net> 28 lines of wisdom included: > <snip lifetime patch> I can't comment on this obviously. > Also there is a type of timeout features which could be > useful both for security or state track tuning, those similar > to Cisco's CBAC global timeouts or the pf.conf's set timeout > options (see > http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secu > r_c/scprt3/scdcbac.htm#xtocid27 > and pf.conf(5) readable on openbsd.org). Specially, CBAC > does a great work against syn flood & co. Some options may > also be useful against scan. And one can use state timeout > to agressively drop unresponsive/congested/slow connections. > > just a few feature suggestions ;) Without reading the detailed description of CBAC, from what you mention there aren't, the sysctl variables: - net.inet.ip.fw.dyn_ack_lifetime - net.inet.ip.fw.dyn_syn_lifetime etc. etc. What you're looking for? -- Philip Reynolds | Technical Director philip.reynolds@rfc-networks.ie | RFC Networks Ltd. http://www.rfc-networks.ie | +353 (0)1 8832063 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020804011900.A1711>