Date: Thu, 11 Nov 2004 05:36:06 +1100 From: Peter Jeremy <PeterJeremy@optushome.com.au> To: Vlad GALU <vladgalu@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: Firewall rules that discriminate by connection duration Message-ID: <20041110183606.GN79646@cirb503493.alcatel.com.au> In-Reply-To: <79722fad041110032364055ae7@mail.gmail.com> References: <200411100310.UAA12654@lariat.org> <79722fad041110032364055ae7@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 2004-Nov-10 13:23:21 +0200, Vlad GALU wrote: >On Tue, 9 Nov 2004 20:10:30 -0700 (MST), Brett Glass <brett@lariat.org> wrote: >> I'm interested in crafting firewall rules that throttle connections >> that have lasted more than a certain amount of time. (Most such >> connections are P2P traffic, which should be given a lower priority >> than other connections and may constitute network abuse.) Alas, it >> doesn't appear that FreeBSD's IPFW can keep tabs on how long a >> connection has been established. Is there another firewall for >> FreeBSD that can? > > All firewalls in FreeBSD can, actually. It's part of the stateful >inspection feature. The only thing they lack is a match parameter >based on the timer. That's a bit of a stretch. Stateful inspection associates a single timeout with each connection. The timeout is reset when a valid packet is seen on that connection and the connection blocked if the timeout expires. Brett needs a timeout that is initialised when the connection is setup and not reset. When it expires, you need to perform some different action rather than just block the connection. You might be able to reuse some of the existing stateful inspection code but I don't believe it's a trivial change. -- Peter Jeremy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041110183606.GN79646>