--==========D1FB360EAB979C9318E2========== Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline --On Thursday, November 11, 2004 05:36:06 +1100 Peter Jeremy <PeterJeremy@optushome.com.au> wrote: > On Wed, 2004-Nov-10 13:23:21 +0200, Vlad GALU wrote: >> On Tue, 9 Nov 2004 20:10:30 -0700 (MST), Brett Glass <brett@lariat.org> wrote: >>> I'm interested in crafting firewall rules that throttle connections >>> that have lasted more than a certain amount of time. (Most such >>> connections are P2P traffic, which should be given a lower priority >>> than other connections and may constitute network abuse.) Alas, it >>> doesn't appear that FreeBSD's IPFW can keep tabs on how long a >>> connection has been established. Is there another firewall for >>> FreeBSD that can? >> >> All firewalls in FreeBSD can, actually. It's part of the stateful >> inspection feature. The only thing they lack is a match parameter >> based on the timer. > > That's a bit of a stretch. Stateful inspection associates a single > timeout with each connection. The timeout is reset when a valid > packet is seen on that connection and the connection blocked if the > timeout expires. > > Brett needs a timeout that is initialised when the connection is setup > and not reset. When it expires, you need to perform some different > action rather than just block the connection. You might be able to > reuse some of the existing stateful inspection code but I don't > believe it's a trivial change. How about ipfw and dummynet? Maybe set up pipes for p2p traffic? --==========D1FB360EAB979C9318E2========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBkmkdBf+aYL5/Y60RApCGAJ0UEFkhsqgHCDxa1Q0KKdVJ09gS5wCfT8Iv QxTkNXO40OM+iZAl2qgl3Rs= =33/n -----END PGP SIGNATURE----- --==========D1FB360EAB979C9318E2==========--