Date: Sat, 22 Jan 2005 02:04:57 -0000 From: "Chris" <chrysalis@garlic-breath.net> To: <freebsd-ipfw@freebsd.org> Subject: check-state,logging and dummynet questions Message-ID: <20050122015511.71F63974C3B@mail.garlic-breath.net>
next in thread | raw e-mail | index | archive | help
Hi I been using ipfw for a small while now, but have a few concerns I will list below. 1 - Logging - I would like to see the packet size logged so when I am attacked I can diagnose the type of attack more effectively, toher firewalls such as pf and iptables do this, I would also like a option to perhaps rate limit logging so if I am recieving 5000 pps I am not logging 5000 pps. I have used the logamount directive to help this problem. 2 - Dummynet - I would like to rate limit syn packets via packer per second rather then kbit/sec because I currently limit src ip's to 1kbit/sec of tcp syn to help on syn floods but this is still too high, also it would be nice if the interval of the block could be adjustable when dummynet blocks. 3 - keep-state - This is a weird one, I am currently using allow established instead of check-state because if I use check-state everytime I flush the rules I get booted from my ssh session and a load of established connections drop, I understand this is probably intended behaviour since it has to restablish the stateful flag after the flush, is there a way to workaround this for connections that need to stay alive during a rule cycle or even better a way to keep dynamic rules when static rules are flushed. Thanks for your time Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050122015511.71F63974C3B>