Date: Fri, 28 Aug 1998 14:28:50 +0400 (MSD) From: "Cyril A. Vechera" <cyril@main.piter.net> To: freebsd-isp@FreeBSD.ORG, steven@shellnet.co.uk Subject: Re: IPFW and IPLTD Message-ID: <199808281028.OAA02520@main.piter.net>
next in thread | raw e-mail | index | archive | help
> From owner-freebsd-isp@FreeBSD.ORG Thu Aug 27 18:40:16 1998 > From: steven@shellnet.co.uk (Steven Fletcher) > To: freebsd-isp@FreeBSD.ORG > Subject: IPFW and IPLTD > Date: Thu, 27 Aug 1998 14:00:47 GMT > > Hi all > > I'm trying to setup some bandwidth limiting procedures for our network > connection, setting our FreeBSD 3.0-SNAP 04/08 box up with IPFW and > IPLTD. I haven't tested it on 3.0 but i think that all should be right. > > I believe that I understand how IPFW works from the basic port > restriction methods, but I feel a little out of my depth when trying > to comprehend how IPLTD links in with the ipfw. > > What kind of rule will I need to add to the ipfw list in order for > this to work - and I am also in the belief that ipltd can limit > traffic on a per-IP/per network card system.... but am still pretty > much clueless as to how it integrates with the ipfw. It's easy, all traffic you want to shape must be diverted to ipltd throu divert command of ipfw. some examples you can find in util/ in the ipltd v2.01 distribution. here is one complex example: #!/bin/sh # set up script for ipfw'n'ipltd ipfw -f flush # protect sendmail DoS attack # enable only two connections per six second - 20 connection per minute ipfw add 10 divert 2000 tcp from any to MAIL_RELAY smtp setup ipfw add 11 pass tcp from any to MAIL_RELAY smtp setup ipltd -c 6000 -p 2 2000 # protect miscelanous TCP services on BigServer (if not all the # services are managed by inetd with connection-per-time limit # we will limit 120 incoming tcp connections per minute (2/sec) ipfw add 20 divert 2001 tcp from any to BigServer setup ipfw add 21 pass tcp from any to BigServer setup ipltd -c 1000 -p 2 2001 # limit squid leeching traffic to 25Kbyte/sec # we assume, that squid is setted up on leased ip-address # by setting in squid.conf: tcp_outgouing_address squid_ip # and ed0 is interface to Internet ipfw add 30 divert 2002 tcp from any to squid_ip via ed0 in ipfw add 31 pass tcp from any to squid_ip via ed0 in ipltd -o -c 1000 -b 25000 -B 50000 2002 # limit outgoing ftp-traffic (from warez-site :) to inet (Internet - ed0) # limit is soft: medium value of traffic will be 10Kbyte/sec, # but maximum rate is not limited, if for this cycle traffic is less # that given medium (wrong english?) # it means that if your gathering cycle is 3 minutes (for limit cycle # 1000 msec, -c 1000, gathering cycle is 180, -g 180) # 2 minutes there are no any bytes throu this ipltd, it will pass # all data with no limits until number of passed bytes will reach # limit of mid cps or gathering cycle will finish # if someone can tell it more naturally in english, please , send me # your variant :) ipfw add 40 divert 2003 tcp from warez-site 20 to any via ed0 out ipfw add 41 pass tcp from warez-site 20 to any via ed0 out ipltd -o -c 1000 -b 10000 -B 30000 -g 180 2003 # and now we will preserv our dialup users from icmp-flood # assume, that 10.0.0.0/28 is our dialup ip # and max icmp-traffic for this subnet is 1500Kbytes/sec # -s means that ipltd will NOT send ICMP_SOURCE_QUENCH on limits overrun ipfw add 50 divert 2004 icmp from any to 10.0.0.0/28 via ed0 in ipfw add 51 pass icmp from any to 10.0.0.0/28 via ed0 in ipltd -c 1000 -b 1500 -s 2004 # the end > > Could anyone throw any hints my way - as the documentation supplied > with ipltd seems a little sketchy ;) need help becouse of my english :) Sincerely your, Cyril A. Vechera email:cyril@piter.net --------- http://sply.piter.net > > Thanks; > > -Steven Fletcher (steven@shellnet.co.uk) > Shellnet - http://www.shellnet.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808281028.OAA02520>