Late reply due to mail server problems at my ISP... Stuart Henderson wrote:
Depends what you're trying to do, but if it's e.g. throttling p2p users, that's only going to be of limited help.
I haven't tried the approach yet and, as you, I'm in doubt about its abitily to throttle p2p. However, the idea isn't pulled out of the sky - using 'pfctl -ss' on my gateway, I've discovered that a high percentage (>90%) of the connections suspected to be p2p goes out to completely random ports, mostly above 1024. (These days, users of bittorrent have to choose to non-standard ports due to tracker rules, which entails a quite uniform distribution.) My goal isn't to throttle every single p2p connection, just a big enough percentage of them.
Relying on the side-behaviour of 'lots-of-connections' often seen with some protocols you might want to restrict, but not so often seen from a legitimate client, you have the option of using max-src-states and throttling hosts in the overload table. Care and attention is required though..
Nice idea, even though it's a bit more advanced. Thanks :) /Martin
