Sten Spans wrote:
On Wed, 15 Sep 2004, Eric W. Bates wrote:
That looks good. I should have RTFM.
Is it reasonable to try something like:
ipfw add allow tcp from evil/24 to any dst-port 80 setup limit src-addr 100
Anyone ever figured out what the average/max number of simultaneous dynamic rules needed to support an http session?
Normally a http request is one tcp connection, some browsers open more connections to speed things up. You could add special rules for avupdate-host.norton.com or somesuch.
An even better solution would be a (transparent) proxy setup, with allow rules for *.norton.com in the proxy software. The kind of restrictions you are trying to enforce are quite a bit easier achieve with propper userland proxy software.
Excellent idea. There is already a squid running on that machine. Can I force a client to use a proxy with:
ipfw add forward myhost tcp from evil/24 to not myhost dst-port 3128
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
