Firewall rules that discriminate by connection duration

John Webster jwebster at es.net
Wed Nov 10 11:16:46 PST 2004



--On Thursday, November 11, 2004 05:36:06 +1100 Peter Jeremy <PeterJeremy at optushome.com.au> wrote:

> On Wed, 2004-Nov-10 13:23:21 +0200, Vlad GALU wrote:
>> On Tue, 9 Nov 2004 20:10:30 -0700 (MST), Brett Glass <brett at lariat.org> wrote:
>>> I'm interested in crafting firewall rules that throttle connections
>>> that have lasted more than a certain amount of time. (Most such
>>> connections are P2P traffic, which should be given a lower priority
>>> than other connections and may constitute network abuse.) Alas, it
>>> doesn't appear that FreeBSD's IPFW can keep tabs on how long a
>>> connection has been established. Is there another firewall for
>>> FreeBSD that can?
>>  
>>   All firewalls in FreeBSD can, actually. It's part of the stateful
>> inspection feature. The only thing they lack is a match parameter
>> based on the timer.
> 
> That's a bit of a stretch.  Stateful inspection associates a single
> timeout with each connection.  The timeout is reset when a valid
> packet is seen on that connection and the connection blocked if the
> timeout expires.
> 
> Brett needs a timeout that is initialised when the connection is setup
> and not reset.  When it expires, you need to perform some different
> action rather than just block the connection.  You might be able to
> reuse some of the existing stateful inspection code but I don't
> believe it's a trivial change.


How about ipfw and dummynet?  Maybe set up pipes for p2p traffic?





-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20041110/44b6799b/attachment.bin


More information about the freebsd-security mailing list