Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 4 Aug 2002 01:19:00 +0000
From:      Philip Reynolds <philip.reynolds@rfc-networks.ie>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: timeout
Message-ID:  <20020804011900.A1711@rfc-networks.ie>
In-Reply-To: <NGBBKNDGKLKPMMNHJJLEIELBCAAA.eberkut@minithins.net>; from eberkut@minithins.net on Sat, Aug 03, 2002 at 05:06:12PM +0200
References:  <NGBBKNDGKLKPMMNHJJLEIELBCAAA.eberkut@minithins.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
eberkut <eberkut@minithins.net> 28 lines of wisdom included:
>
<snip lifetime patch>

I can't comment on this obviously.

> Also there is a type of timeout features which could be
> useful both for security or state track tuning, those similar
> to Cisco's CBAC global timeouts or the pf.conf's set timeout
> options (see
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secu
> r_c/scprt3/scdcbac.htm#xtocid27
> and pf.conf(5) readable on openbsd.org). Specially, CBAC
> does a great work against syn flood & co. Some options may
> also be useful against scan. And one can use state timeout
> to agressively drop unresponsive/congested/slow connections.
> 
> just a few feature suggestions ;)

Without reading the detailed description of CBAC, from what you
mention there aren't, the sysctl variables:

- net.inet.ip.fw.dyn_ack_lifetime
- net.inet.ip.fw.dyn_syn_lifetime
etc. etc.

What you're looking for?

-- 
Philip Reynolds                  | Technical Director
philip.reynolds@rfc-networks.ie  | RFC Networks Ltd.
http://www.rfc-networks.ie       | +353 (0)1 8832063

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20020804011900.A1711>