New pf feature: TCP connection rate tracking

Contributed by mk/reverse on 2004-12-04 from the not-so-fast-buddy dept.

"Jona/BSD" notified us that Ryan Thomas McBride committed some additional features to our favourite packet filter which make it possible to limit both TCP connection count and connection establishment rate based on the source address.

Find the commit messages for kernel part and userland part on MARC.

This looks really interesting, so do some testing. Remember to report all problems you might encounter but try doing some debugging on your own first.

(Comments are closed)

Comments

By Anonymous Coward (24.102.88.31) on 2004-12-04 14:40

Very cool!

I assume <bad> can be defined as "not <good>" too. Some of us prefer to use whitelisting.
Comments
1. By Michael Knudsen (217.157.199.114) on 2004-12-04 16:08
  
  > I assume <bad> can be defined as "not <good>" too. Some of us
  > prefer to use whitelisting.
  
  You're confusing things. <bad> (or whatever you choose) is the table to which violaters' ip-addresses are added. This is essentially a blacklisting approach.
By Sven (80.126.65.121) on 2004-12-04 15:17

Here's the correct link for the kernel part
Comments
1. By Michael Knudsen (217.157.199.114) on 2004-12-04 16:02
  
  Whoops, I've updated the link in the story now. Thanks for pointing this out. I wrongfully assumed that the submitted link was to the first commit, i.e. the kernel part of the change.
By Anonymous Coward (24.201.62.155) on 2004-12-04 18:19

Damn, OpenBSD and stuff never fails to amaze and impress me! Now if only large corporations, (Cisco, MS, etc. etc.) would openly donate resources and/or money for such a good cause, it would be great for them (parhaps marketing wise), for *BSD, Linux, and well, for everyone else too!
Comments
1. By James (151.203.124.250) on 2004-12-05 16:09
  
  They have no reason to donate to a free alternative to their stuff.
  Comments
  1. By Anonymous Coward (24.201.62.155) on 2004-12-05 16:13
    
    I understand your point, which is true, but then there's always things such as OpenSSH...
    
    Comments
    
    By James (151.203.124.250) on 2004-12-05 16:18
    
    I understand this to be a situation where it's OpenSSH included in a proprietary product. If you mean to say it'd be nice if the vendors used pf instead of their packet filter, I think this is different because with OpenSSH, it's a nice addition to their OS, which is the main product, where the packet filtering system _IS_ the reason you'd buy a cisco firewall. If Cisco's was the same as everyone else's, they've got no edge.
    
    Comments
    
    By Anonymous Coward (69.197.92.181) on 2004-12-05 19:05
    
    The only edge cisco has is having brain washed PHBs into thinking cisco makes good products. From a technical standpoint, cisco does not make the best product under any category, with the possible exception of very high end multi-Gbps routers, depending on the day.
    
    Comments
    
    By Anonymous Coward (68.165.27.173) on 2004-12-05 19:41
    
    If Juniper is doing that good, it's because of the incompetence of Cisco.
    
    By James (151.203.124.250) on 2004-12-06 01:49
    
    That doesn't have anything to do with how business's think about whether or not to include software in their systems.
    
    Comments
    
    By Anonymous Coward (69.197.92.181) on 2004-12-06 06:25
    
    And? You claimed cisco would have no edge. The fact is, cisco does not have a technology edge, they could use anything and it would not matter at all, their edge is in the minds of management types with too much money on their hands.
    
    Comments
    
    By James (129.10.214.125) on 2004-12-06 17:11
    
    I was claiming that the edge is that their unique in some way, not that the technology is better. Being unique is essential if you plan to convince customers your stuff is better than someone elses.
    
    Comments
    
    By Anonymous Coward (69.197.92.181) on 2004-12-08 06:38
    
    No, it isn't. That's the whole point. The customers that buy cisco don't know or care what is in a cisco. Oddly, people still buy pix even though its just a really low end PC with crappy filtering software. Unique has nothing to do with it, mindshare is their only edge.
By Anonymous Coward (69.132.141.94) on 2004-12-07 01:56

While we're on this topic, does anyone know if the pf synproxy fix will be available as a patch on errata.html?
Comments
1. By jtorin (194.103.189.24) on 2004-12-07 09:55
  
  Well, why don't you download the lastest version yourself and recompile?
By Ondrej Suchy (194.108.74.252) ondrej.suchy@logios.cz on 2004-12-15 09:34 http://www.logios.cz/

The CVS commit message incorrectly uses the keyword "overflow". Correct keyword is "overload". Ondrej

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (9)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (2)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]