Date: Wed, 10 Nov 2004 11:16:45 -0800 From: John Webster <jwebster@es.net> To: Peter Jeremy <PeterJeremy@optushome.com.au>, Vlad GALU <vladgalu@gmail.com> Cc: freebsd-security <freebsd-security@freebsd.org> Subject: Re: Firewall rules that discriminate by connection duration Message-ID: <7E5FC181A8962BB3C53C3757@vortex.es.net> In-Reply-To: <20041110183606.GN79646@cirb503493.alcatel.com.au> References: <200411100310.UAA12654@lariat.org> <79722fad041110032364055ae7@mail.gmail.com> <20041110183606.GN79646@cirb503493.alcatel.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
--==========D1FB360EAB979C9318E2========== Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline --On Thursday, November 11, 2004 05:36:06 +1100 Peter Jeremy <PeterJeremy@optushome.com.au> wrote: > On Wed, 2004-Nov-10 13:23:21 +0200, Vlad GALU wrote: >> On Tue, 9 Nov 2004 20:10:30 -0700 (MST), Brett Glass <brett@lariat.org> wrote: >>> I'm interested in crafting firewall rules that throttle connections >>> that have lasted more than a certain amount of time. (Most such >>> connections are P2P traffic, which should be given a lower priority >>> than other connections and may constitute network abuse.) Alas, it >>> doesn't appear that FreeBSD's IPFW can keep tabs on how long a >>> connection has been established. Is there another firewall for >>> FreeBSD that can? >> >> All firewalls in FreeBSD can, actually. It's part of the stateful >> inspection feature. The only thing they lack is a match parameter >> based on the timer. > > That's a bit of a stretch. Stateful inspection associates a single > timeout with each connection. The timeout is reset when a valid > packet is seen on that connection and the connection blocked if the > timeout expires. > > Brett needs a timeout that is initialised when the connection is setup > and not reset. When it expires, you need to perform some different > action rather than just block the connection. You might be able to > reuse some of the existing stateful inspection code but I don't > believe it's a trivial change. How about ipfw and dummynet? Maybe set up pipes for p2p traffic? --==========D1FB360EAB979C9318E2========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBkmkdBf+aYL5/Y60RApCGAJ0UEFkhsqgHCDxa1Q0KKdVJ09gS5wCfT8Iv QxTkNXO40OM+iZAl2qgl3Rs= =33/n -----END PGP SIGNATURE----- --==========D1FB360EAB979C9318E2==========--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7E5FC181A8962BB3C53C3757>