Date: Thu, 11 Nov 2004 13:19:11 +0100 From: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl> To: Brett Glass <brett@lariat.org> Cc: freebsd-security@freebsd.org Subject: Re: Firewall rules that discriminate by connection duration Message-ID: <20041111121911.GB21054@shellma.zin.lublin.pl> In-Reply-To: <200411100310.UAA12654@lariat.org> References: <200411100310.UAA12654@lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 09, 2004 at 08:10:30PM -0700, Brett Glass wrote: > I'm interested in crafting firewall rules that throttle connections > that have lasted more than a certain amount of time. (Most such > connections are P2P traffic, which should be given a lower priority > than other connections and may constitute network abuse.) Alas, it > doesn't appear that FreeBSD's IPFW can keep tabs on how long a > connection has been established. Is there another firewall for > FreeBSD that can? Problem with P2P is not that connections take long time, but that there are plenty of them. You may consider using patch I posted on freebsd-ipfw@ few days ago to lower weight of flows using dummynet, if number of connections is greater than N per host, for example. -- Paweł Małachowski
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041111121911.GB21054>