Date: Thu, 25 Nov 2004 17:12:38 +0300 From: Gleb Smirnoff <glebius@freebsd.org> To: David Schwartz <davids@webmaster.com> Cc: "freebsd-current@FreeBSD. org" <freebsd-current@freebsd.org> Subject: Re: RFC: Add creation time to dynamic firewall rules Message-ID: <20041125141238.GB78210@cell.sick.ru> In-Reply-To: <MDEHLPKNGKAHNMBLJOLKGEKBAAAB.davids@webmaster.com> References: <MDEHLPKNGKAHNMBLJOLKGEKBAAAB.davids@webmaster.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 24, 2004 at 01:12:28PM -0800, David Schwartz wrote: D> FreeBSD does not keep track of the time a dynamic firewall was created in D> the structure associated with that rule. It looks like it would take less D> than an hour to code up a patch to keep this information and add a flag to D> ipfw to display how many seconds old the rule is instead of the usage time. D> D> I want this addition for two reasons: D> D> 1) Being able to know how old a connection is gives you important D> information about its stability. D> D> 2) By dividing the number of bytes by the connection age, you can D> guesstimate the approximate bandwidth usage of the connection. D> D> I could easily make this change locally and maintain it as a local patch, D> but would prefer to see it accepted into the general distribution. Does D> anyone have any comments as to whether such a patch would be likely to be D> accepted? D> D> The cost is, essentially, an extra 4 bytes for each dynamic firewall rule. D> A large firewall might have 10,000 dynamic rules, which would be 40Kb. A D> typical firewall might have 300, which would be 1Kb or so. (It might D> actually be a bit more or less, I haven't looked at slack space.) This is not answer to your question, but you can obtain such information for all running network flows if you run ng_netflow. NetFlow is a standard tool for monitoring. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041125141238.GB78210>