From owner-freebsd-hackers Thu Jun 8 3:18:53 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id CB44B37BFB4 for ; Thu, 8 Jun 2000 03:18:23 -0700 (PDT) (envelope-from nbm@sunesi.net) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 12zzGU-000ARR-00; Thu, 08 Jun 2000 12:10:18 +0200 Date: Thu, 8 Jun 2000 12:10:18 +0200 From: Neil Blakey-Milner To: Luigi Rizzo Cc: Poul-Henning Kamp , Hans Huebner , freebsd-hackers@FreeBSD.ORG Subject: Re: IP prepaid accounting Message-ID: <20000608121017.A39941@mithrandr.moria.org> References: <20000608110055.A38991@mithrandr.moria.org> <200006080943.LAA02967@info.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200006080943.LAA02967@info.iet.unipi.it>; from luigi@info.iet.unipi.it on Thu, Jun 08, 2000 at 11:43:17AM +0200 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu 2000-06-08 (11:43), Luigi Rizzo wrote: > sorry if i lost part of the discussion, but why dont you > just associate a quota with a rule and specify one of the > two possible results when exceeding quota: > > ipfw match-upto 20MB > ipfw deny-above 20MB > > where the first syntax does not match when the rule's counters > are above the quota, the second one denies the pkt when above quota. > > It looks of trivial implementation and rather easy to understand. > You'd just need a new ipfw command to increase/decrease/set counters to > a specific value rather than just zero them. Well, it may or may not be able to cover a situation I'm thinking about now: You have a server farm, or just a single machine with multiple IP addresses assigned to various jails, and you'd like them to be able to be able to be able to get anywhere. But, always allow traffic to and from a specific set of controlling machines, and also their owner company, and maybe a specified port for some form of VPN. If they exceed a first level of traffic, a dummynet rule kicks in slowing them down (alternate queueing system quite possibly too) just a bit, and as they break certain levels, slow them down more and more to non-specific sites. The specific sites may or may not contribute to the quota, but must remain available. Also, there may be a user account on the multi-user machine doing these rules who can log in to the base system to do certain forms of maintenance not easily available in the jail. Traffic caused by this person should also fall within the same quota. Further, a company may have two IP-based virtual hosts, or two or more servers in the server farm for some reason, sharing the same quota, and so forth. I just thought that: ipfw quota 1 config quota 20MB ipfw add quota 1 ipfw add quota 1 ipfw add quota 1 ipfw add allow ip from any to any uquota 1 ipfw add pipe 1 ip from any to any oquota 1 ... would be the extensible and more useful way of doing this, and most other IP-based quota systems. It also means you can set up your quotas, change the traffic numbers, change the match sets, all without changing your basic firewall rules. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message