From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 21 04:02:53 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 938CA16A4BF for ; Sun, 21 Sep 2003 04:02:53 -0700 (PDT) Received: from epita.fr (hermes.epita.fr [163.5.255.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54B5443FE1 for ; Sun, 21 Sep 2003 04:02:52 -0700 (PDT) (envelope-from le-hen_j@epita.fr) Received: from carpediem (carpediem.epita.fr [10.42.42.5]) by epita.fr id h8LB2oZ14381 Sun, 21 Sep 2003 13:02:50 +0200 (CEST) Date: Sun, 21 Sep 2003 13:02:49 +0200 From: jeremie le-hen To: freebsd-ipfw@freebsd.org Message-ID: <20030921110249.GA28474@carpediem.epita.fr> References: <200309201510.h8KFAOxL062601@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200309201510.h8KFAOxL062601@lurza.secnetix.de> User-Agent: Mutt/1.4i cc: Oliver Fromme Subject: Re: ssh/scp filtering, iplen problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Sep 2003 11:02:53 -0000 > However, the obvious problem is that scp uses the ssh > protocol, so it's on the same port. So my idea was to > differentiate them by the size of the packets. The scp > packets usually use the full MTU size (1500), while the > interactive ssh packets are typically much smaller. It was my first idea too for traffic scheduling, but when I tried this tricky way I found that when I refreshed the screen or execute "ls -lR", resulting ssh packets where quite enormous (eg. the MSS size) and so they were understood as being scp packets. They were therefore scheduled as the latters, making the ssh session unusable. I told myself that this problem should be quite common and so there were necessarily some efficient workarounds. And then I forsaw that ssh traffic which have a terminal attached to it (eg. interactive ssh traffic) got the "lowdelay" value in its IP TOS field, and the ssh traffic which does not (usually scp or ssh with a command given to be executed instead of a shell) got the "throughput" value. IIRC, only SSH tunnels don't have any TOS value. Finally, supposing you have 100KBit/s as bandwidth, you can use this (in a real world, you would certainly take care about traffic direction) : # scp pipe 1 config bw 90KBit/s add pipe 1 tcp from any to any dst-port 22 iptos throughput add pipe 1 tcp from any to any src-port 22 iptos throughput # ssh pipe 2 config bw 10KBit/s add pipe 1 tcp from any to any dst-port 22 iptos lowdelay add pipe 1 tcp from any to any src-port 22 iptos lowdelay Regards, -- Jeremie LE HEN aka TtZ/TataZ jeremie.le-hen@epita.fr