On 2006/06/13 08:26, Jeff Quast wrote: > On 6/13/06, Stuart Henderson <[EMAIL PROTECTED]> wrote: > > > > On 2006/06/13 12:26, Martin Toft wrote: > > > Spruell, Darren-Perot wrote: > > > >Maybe a better-designed application wouldn't have to make use of such a > > > >clusterbag of ports in the first place? > > > > > > The ports do not belong to a single application. I operate a gateway and > > > want to give high priority to legitimate protocols and low priority to > > > everything else. At the moment I have chosen this long list of > > > "legitimate" ports: > > > > Non-legitimate apps will also use these ports. You can't e.g. replicate > > what ellacoya boxes do just using PF. > > > Maybe this can be shortened to the classical idea of ports <1024 being > authoratative internet daemons, > < 1024 high priority > > 1024 low priority, except...
Depends what you're trying to do, but if it's e.g. throttling p2p users, that's only going to be of limited help. Relying on the side-behaviour of 'lots-of-connections' often seen with some protocols you might want to restrict, but not so often seen from a legitimate client, you have the option of using max-src-states and throttling hosts in the overload table. Care and attention is required though..
