RFC: Add creation time to dynamic firewall rules
Gleb Smirnoff
glebius at freebsd.org
Thu Nov 25 06:12:43 PST 2004
On Wed, Nov 24, 2004 at 01:12:28PM -0800, David Schwartz wrote:
D> FreeBSD does not keep track of the time a dynamic firewall was created in
D> the structure associated with that rule. It looks like it would take less
D> than an hour to code up a patch to keep this information and add a flag to
D> ipfw to display how many seconds old the rule is instead of the usage time.
D>
D> I want this addition for two reasons:
D>
D> 1) Being able to know how old a connection is gives you important
D> information about its stability.
D>
D> 2) By dividing the number of bytes by the connection age, you can
D> guesstimate the approximate bandwidth usage of the connection.
D>
D> I could easily make this change locally and maintain it as a local patch,
D> but would prefer to see it accepted into the general distribution. Does
D> anyone have any comments as to whether such a patch would be likely to be
D> accepted?
D>
D> The cost is, essentially, an extra 4 bytes for each dynamic firewall rule.
D> A large firewall might have 10,000 dynamic rules, which would be 40Kb. A
D> typical firewall might have 300, which would be 1Kb or so. (It might
D> actually be a bit more or less, I haven't looked at slack space.)
This is not answer to your question, but you can obtain such information for
all running network flows if you run ng_netflow. NetFlow is a standard tool
for monitoring.
--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
More information about the freebsd-current
mailing list