From owner-freebsd-security@FreeBSD.ORG Wed Nov 10 19:16:46 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 005B816A4CE for ; Wed, 10 Nov 2004 19:16:46 +0000 (GMT) Received: from postal3.es.net (postal3.es.net [198.128.3.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9E7E43D55 for ; Wed, 10 Nov 2004 19:16:45 +0000 (GMT) (envelope-from webster@es.net) Received: from vortex.es.net ([198.128.1.16]) by postal3.es.net (Postal Node 3) with ASMTP (SSL) id IBA74465; Wed, 10 Nov 2004 11:16:45 -0800 Date: Wed, 10 Nov 2004 11:16:45 -0800 From: John Webster To: Peter Jeremy , Vlad GALU Message-ID: <7E5FC181A8962BB3C53C3757@vortex.es.net> In-Reply-To: <20041110183606.GN79646@cirb503493.alcatel.com.au> References: <200411100310.UAA12654@lariat.org> <79722fad041110032364055ae7@mail.gmail.com> <20041110183606.GN79646@cirb503493.alcatel.com.au> X-Mailer: Mulberry/3.1.5 (Linux/x86) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="==========D1FB360EAB979C9318E2==========" X-Mailman-Approved-At: Thu, 11 Nov 2004 13:40:07 +0000 cc: freebsd-security Subject: Re: Firewall rules that discriminate by connection duration X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Nov 2004 19:16:46 -0000 --==========D1FB360EAB979C9318E2========== Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline --On Thursday, November 11, 2004 05:36:06 +1100 Peter Jeremy wrote: > On Wed, 2004-Nov-10 13:23:21 +0200, Vlad GALU wrote: >> On Tue, 9 Nov 2004 20:10:30 -0700 (MST), Brett Glass wrote: >>> I'm interested in crafting firewall rules that throttle connections >>> that have lasted more than a certain amount of time. (Most such >>> connections are P2P traffic, which should be given a lower priority >>> than other connections and may constitute network abuse.) Alas, it >>> doesn't appear that FreeBSD's IPFW can keep tabs on how long a >>> connection has been established. Is there another firewall for >>> FreeBSD that can? >> >> All firewalls in FreeBSD can, actually. It's part of the stateful >> inspection feature. The only thing they lack is a match parameter >> based on the timer. > > That's a bit of a stretch. Stateful inspection associates a single > timeout with each connection. The timeout is reset when a valid > packet is seen on that connection and the connection blocked if the > timeout expires. > > Brett needs a timeout that is initialised when the connection is setup > and not reset. When it expires, you need to perform some different > action rather than just block the connection. You might be able to > reuse some of the existing stateful inspection code but I don't > believe it's a trivial change. How about ipfw and dummynet? Maybe set up pipes for p2p traffic? --==========D1FB360EAB979C9318E2========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBkmkdBf+aYL5/Y60RApCGAJ0UEFkhsqgHCDxa1Q0KKdVJ09gS5wCfT8Iv QxTkNXO40OM+iZAl2qgl3Rs= =33/n -----END PGP SIGNATURE----- --==========D1FB360EAB979C9318E2==========--