On 7/27/07, Mark Webb <[EMAIL PROTECTED]> wrote: > > you are correct. There is no difference between listening on port 80 > versus > listening on any other port. I was just providing the example of a web > server. Any program could be listening on any port, if the firewall > allows > a certain port to be allowed in order to connect to the server based > application inside the firewall, that application could be subjected to a > Denial-Of-Service attack if the ConnectionThrottleFilter were not in > place. > > As for the Blacklist filter, this is more like what a traditional firewall > would provide. You could specify hosts A and B can connect to your > server, > but not any other hosts. The advantage over most firewalls is that the > BlackListFilter can have its list updated without requiring a restart of > the > application.
Marc, This can also be done with MINA. In fact, we have implemented an MINA AccessFilter that reads its allowed/disallowed addresses from a database and users can request that the filter re-reads the list at runtime. Maarten On 7/26/07, mat <[EMAIL PROTECTED]> wrote: > > > > What's the difference between listening on port 80 or other port? Can > you > > explain more on this one? Thanks. > > > > > > On 7/21/07, Mark Webb <[EMAIL PROTECTED]> wrote: > > > > > > What about a scenario where port 80 is open on the firewall, and a > > > malicious > > > person is attempting a DDoS on the server listening on port 80? > > > > > > I do not think all (maybe not any) firewalls can protect against that. > > > > > > > > > On 7/20/07, mat <[EMAIL PROTECTED]> wrote: > > > > > > > > Now I wonder whether ConnectionThrottleFilter could be done in most > > > > Firewall? > > > > > > > > On 7/13/07, Mark <[EMAIL PROTECTED]> wrote: > > > > > > > > > > I like that idea. I also agree with Mat and a firewall *should* > > > handle > > > > > the > > > > > blacklisting, but defense-in-depth is something I strongly believe > > in. > > > > > > > > > > On 7/11/07, Trustin Lee <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > On 7/12/07, Mark <[EMAIL PROTECTED]> wrote: > > > > > > > Not sure I agree. > > > > > > > > > > > > > > Blacklisting a host is analogous to a firewall operation in > that > > > the > > > > > > > administrator of a MINA-based application would determine > which > > > > hosts > > > > > > can > > > > > > > connect to the application. The ConnectionThrottleFilter is > > > > designed > > > > > to > > > > > > > block host connections when they try and connect to quickly, > > like > > > in > > > > > the > > > > > > > case of a denial-of-service attack. > > > > > > > > > > > > > > I could understand combining code via a shared parent > > > class. There > > > > > was > > > > > > talk > > > > > > > of even extending the ConnectionThrottleFilter further by > > keeping > > > a > > > > > host > > > > > > in > > > > > > > the 'block' list for a configurable amount of time. > > > > > > > > > > > > I think what differs is a policy. If the policy is > pre-programmed > > > or > > > > > > permanant, it's what BlacklistFilter does. Otherwise, it's what > > > > > > ConnectionThrottlefilter is supposed do. Probably we could > create > > > > > > some generic filter that user can specify a certain policy. For > > > > > > example: > > > > > > > > > > > > ConnectionThrottlePolicy p = ...; > > > > > > ConnectionThrottleFilter f = new ConnectionThrottleFilter(p); > > > > > > > > > > > > Trustin > > > > > > -- > > > > > > what we call human nature is actually human habit > > > > > > -- > > > > > > http://gleamynode.net/ > > > > > > -- > > > > > > PGP Key ID: 0x0255ECA6 > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > ..Cheers > > > > > Mark > > > > > > > > > > > > > > > > > > > > > -- > > > ..Cheers > > > Mark > > > > > > > > > -- > ..Cheers > Mark >
