I'm interested in crafting firewall rules that throttle connections that have lasted more than a certain amount of time. (Most such connections are P2P traffic, which should be given a lower priority than other connections and may constitute network abuse.) Alas, it doesn't appear that FreeBSD's IPFW can keep tabs on how long a connection has been established. Is there another firewall for FreeBSD that can? --Brett Glass _______________________________________________________ Please think twice when forwarding, cc:ing, or bcc:ing security-team messages. Ask if you are unsure.
On Tue, 9 Nov 2004 20:10:30 -0700 (MST), Brett Glass <brett@lariat.org> wrote:> I'm interested in crafting firewall rules that throttle connections > that have lasted more than a certain amount of time. (Most such > connections are P2P traffic, which should be given a lower priority > than other connections and may constitute network abuse.) Alas, it > doesn't appear that FreeBSD's IPFW can keep tabs on how long a > connection has been established. Is there another firewall for > FreeBSD that can? >All firewalls in FreeBSD can, actually. It's part of the stateful inspection feature. The only thing they lack is a match parameter based on the timer.> --Brett Glass > > _______________________________________________________ > Please think twice when forwarding, cc:ing, or bcc:ing > security-team messages. Ask if you are unsure. > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >-- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it.
Pawel Malachowski
2004-Nov-11 04:27 UTC
Firewall rules that discriminate by connection duration
On Tue, Nov 09, 2004 at 08:10:30PM -0700, Brett Glass wrote:> I'm interested in crafting firewall rules that throttle connections > that have lasted more than a certain amount of time. (Most such > connections are P2P traffic, which should be given a lower priority > than other connections and may constitute network abuse.) Alas, it > doesn't appear that FreeBSD's IPFW can keep tabs on how long a > connection has been established. Is there another firewall for > FreeBSD that can?Problem with P2P is not that connections take long time, but that there are plenty of them. You may consider using patch I posted on freebsd-ipfw@ few days ago to lower weight of flows using dummynet, if number of connections is greater than N per host, for example. -- Pawe? Ma?achowski