you are correct. There is no difference between listening on port 80 versus listening on any other port. I was just providing the example of a web server. Any program could be listening on any port, if the firewall allows a certain port to be allowed in order to connect to the server based application inside the firewall, that application could be subjected to a Denial-Of-Service attack if the ConnectionThrottleFilter were not in place.
As for the Blacklist filter, this is more like what a traditional firewall would provide. You could specify hosts A and B can connect to your server, but not any other hosts. The advantage over most firewalls is that the BlackListFilter can have its list updated without requiring a restart of the application. On 7/26/07, mat <[EMAIL PROTECTED]> wrote:
What's the difference between listening on port 80 or other port? Can you explain more on this one? Thanks. On 7/21/07, Mark Webb <[EMAIL PROTECTED]> wrote: > > What about a scenario where port 80 is open on the firewall, and a > malicious > person is attempting a DDoS on the server listening on port 80? > > I do not think all (maybe not any) firewalls can protect against that. > > > On 7/20/07, mat <[EMAIL PROTECTED]> wrote: > > > > Now I wonder whether ConnectionThrottleFilter could be done in most > > Firewall? > > > > On 7/13/07, Mark <[EMAIL PROTECTED]> wrote: > > > > > > I like that idea. I also agree with Mat and a firewall *should* > handle > > > the > > > blacklisting, but defense-in-depth is something I strongly believe in. > > > > > > On 7/11/07, Trustin Lee <[EMAIL PROTECTED]> wrote: > > > > > > > > On 7/12/07, Mark <[EMAIL PROTECTED]> wrote: > > > > > Not sure I agree. > > > > > > > > > > Blacklisting a host is analogous to a firewall operation in that > the > > > > > administrator of a MINA-based application would determine which > > hosts > > > > can > > > > > connect to the application. The ConnectionThrottleFilter is > > designed > > > to > > > > > block host connections when they try and connect to quickly, like > in > > > the > > > > > case of a denial-of-service attack. > > > > > > > > > > I could understand combining code via a shared parent > class. There > > > was > > > > talk > > > > > of even extending the ConnectionThrottleFilter further by keeping > a > > > host > > > > in > > > > > the 'block' list for a configurable amount of time. > > > > > > > > I think what differs is a policy. If the policy is pre-programmed > or > > > > permanant, it's what BlacklistFilter does. Otherwise, it's what > > > > ConnectionThrottlefilter is supposed do. Probably we could create > > > > some generic filter that user can specify a certain policy. For > > > > example: > > > > > > > > ConnectionThrottlePolicy p = ...; > > > > ConnectionThrottleFilter f = new ConnectionThrottleFilter(p); > > > > > > > > Trustin > > > > -- > > > > what we call human nature is actually human habit > > > > -- > > > > http://gleamynode.net/ > > > > -- > > > > PGP Key ID: 0x0255ECA6 > > > > > > > > > > > > > > > > -- > > > ..Cheers > > > Mark > > > > > > > > > -- > ..Cheers > Mark >
-- ..Cheers Mark
