From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 22 01:55:13 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 007D416A4CE for ; Sat, 22 Jan 2005 01:55:12 +0000 (GMT) Received: from mail.garlic-breath.net (mail.garlic-breath.net [69.64.37.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97F6C43D4C for ; Sat, 22 Jan 2005 01:55:12 +0000 (GMT) (envelope-from chrysalis@garlic-breath.net) Received: from homeamd2200 (cpc4-leic8-3-0-cust125.leic.cable.ntl.com [82.19.175.125]) by mail.garlic-breath.net (Mail Daemon) with ESMTP id 71F63974C3B for ; Sat, 22 Jan 2005 01:55:11 +0000 (GMT) From: "Chris" To: Date: Sat, 22 Jan 2005 02:04:57 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcUAIAPyH3l6AY/eQduricmxZ6Crvw== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Message-Id: <20050122015511.71F63974C3B@mail.garlic-breath.net> Subject: check-state,logging and dummynet questions X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jan 2005 01:55:13 -0000 Hi I been using ipfw for a small while now, but have a few concerns I will list below. 1 - Logging - I would like to see the packet size logged so when I am attacked I can diagnose the type of attack more effectively, toher firewalls such as pf and iptables do this, I would also like a option to perhaps rate limit logging so if I am recieving 5000 pps I am not logging 5000 pps. I have used the logamount directive to help this problem. 2 - Dummynet - I would like to rate limit syn packets via packer per second rather then kbit/sec because I currently limit src ip's to 1kbit/sec of tcp syn to help on syn floods but this is still too high, also it would be nice if the interval of the block could be adjustable when dummynet blocks. 3 - keep-state - This is a weird one, I am currently using allow established instead of check-state because if I use check-state everytime I flush the rules I get booted from my ssh session and a load of established connections drop, I understand this is probably intended behaviour since it has to restablish the stateful flag after the flush, is there a way to workaround this for connections that need to stay alive during a rule cycle or even better a way to keep dynamic rules when static rules are flushed. Thanks for your time Chris