From owner-freebsd-security@FreeBSD.ORG Thu Nov 11 14:43:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C0F516A4CE for ; Thu, 11 Nov 2004 14:43:27 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4E3643D41 for ; Thu, 11 Nov 2004 14:43:26 +0000 (GMT) (envelope-from xlr8me@gmail.com) Received: by rproxy.gmail.com with SMTP id a36so316165rnf for ; Thu, 11 Nov 2004 06:43:26 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=EhcbuwemV6XOFX+f2eGrPj7cArfpplJc5tFd8PkMh6/7AJzUgdQZSJZ7glNNJMug9LgcfLW0R/K2buNAtBqcxc0X7+ZM2WlohTsbeekrs2SpJ5GrvjuMjHMjAyzJvDx+FttqFK13wvQbs4OjxlgF30pTyDbgEuhIfVnpGObgpBI= Received: by 10.38.78.13 with SMTP id a13mr834981rnb; Thu, 11 Nov 2004 06:43:25 -0800 (PST) Received: by 10.39.2.25 with HTTP; Thu, 11 Nov 2004 06:43:25 -0800 (PST) Message-ID: <2472a6830411110643671554cf@mail.gmail.com> Date: Thu, 11 Nov 2004 09:43:25 -0500 From: "D ." To: John Webster In-Reply-To: <7E5FC181A8962BB3C53C3757@vortex.es.net> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200411100310.UAA12654@lariat.org> <79722fad041110032364055ae7@mail.gmail.com> <20041110183606.GN79646@cirb503493.alcatel.com.au> <7E5FC181A8962BB3C53C3757@vortex.es.net> cc: Vlad GALU cc: freebsd-security Subject: Re: Firewall rules that discriminate by connection duration X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "D ." List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Nov 2004 14:43:27 -0000 I already suggested ipfw & dummynet to him, I attached his response. I couldn't see any other way to do it which wouldn't mess up all other persistent connections (http1.1, etc). On Wed, 10 Nov 2004 14:45:43 -0700, Brett Glass wrote: > > Yes. It's persistent connections that you want to throttle. You cannot > throttle P2P on the basis of port number, because many P2P systems use > well known ports such as 80. > > --Brett Glass > On Wed, 10 Nov 2004 11:16:45 -0800, John Webster wrote: > > > > > --On Thursday, November 11, 2004 05:36:06 +1100 Peter Jeremy wrote: > > > On Wed, 2004-Nov-10 13:23:21 +0200, Vlad GALU wrote: > >> On Tue, 9 Nov 2004 20:10:30 -0700 (MST), Brett Glass wrote: > >>> I'm interested in crafting firewall rules that throttle connections > >>> that have lasted more than a certain amount of time. (Most such > >>> connections are P2P traffic, which should be given a lower priority > >>> than other connections and may constitute network abuse.) Alas, it > >>> doesn't appear that FreeBSD's IPFW can keep tabs on how long a > >>> connection has been established. Is there another firewall for > >>> FreeBSD that can? > >> > >> All firewalls in FreeBSD can, actually. It's part of the stateful > >> inspection feature. The only thing they lack is a match parameter > >> based on the timer. > > > > That's a bit of a stretch. Stateful inspection associates a single > > timeout with each connection. The timeout is reset when a valid > > packet is seen on that connection and the connection blocked if the > > timeout expires. > > > > Brett needs a timeout that is initialised when the connection is setup > > and not reset. When it expires, you need to perform some different > > action rather than just block the connection. You might be able to > > reuse some of the existing stateful inspection code but I don't > > believe it's a trivial change. > > > How about ipfw and dummynet? Maybe set up pipes for p2p traffic? > > > -- Want Gmail? Just ask, and I'll hook you up.