Date: Thu, 14 Sep 2006 13:06:34 -0700 From: Chris <eagletree@hughes.net> To: freeBSD <freebsd-questions@freebsd.org> Subject: Re: Under Attack: Bandwidth throttling on 5.2.1? Message-ID: <A4AC2694-96D2-48DE-AE76-D1EE0319FC53@hughes.net> In-Reply-To: <4509B33B.80604@ee.duth.gr> References: <C214FC9E-0D29-44F0-B8F5-2116135A4AF1@cbpratt.prohosting.com> <4509B33B.80604@ee.duth.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 14, 2006, at 12:53 PM, Panagiotis wrote:
> Chris wrote:
>
>> ...system, we could come back up I think and try ride out the
>> attack. I've never done this before but in an earlier thread I
>> saw where you configure a pipe such as:
>>
>> ipfw pipe 1 config bw 256Kbit/s
>> ipfw add pipe 1 tcp from 192.168.1.2 80
>>
>> then set sysctl.conf
>> net.inet.ip.fw.one_pass=1
>>
>> Is that is all that's necessary for this old a system or is there
>> anything else. If this is correct, would this keep this fellow
>> from crashing
>
> To use traffic shaping with IPFW you have to compile the kernel
> with the following options:
>
> options DUMMYNET
> options HZ=1000
>
> then you can add some lines like these to make your bandwidth limit
> to work:
>
> #first flush all the previous pipes
> ipfw -q -f pipe flush
>
> ipfw pipe 1 config bw 256Kbit/s
> ipfw add pipe 1 tcp from any to any
>
> usually we use two pipes, one for download and one for upload so
> you can try something like this:
>
>
> #first flush all the previous pipes
> ipfw -q -f pipe flush
>
> #upload bandwidth+download bandwidth=total bandwidth
> #pipe for upload
> ipfw pipe 1 config bw 128Kbit/s
> #pipe for download
> ipfw pipe 2 config bw 256Kbit/s
>
> server_port="20,21,80,443,995,...,etc"
> internal_network="192.168.0.0"
>
> #config upload
> ipfw add pipe 1 tcp from $internal_network to any $server_port
> #config upload
> ipfw add pipe 2 tcp from any $server_port to $internal_network
>
> The variables "server_port" and "internal_network" are examples of
> course... :-)
> If you are running natd on your machine the you have to put rules
> AFTER the divert natd rule like these:
> ipfw add pipe 1 tcp from {external_ip} to any $server_port
> ipfw add pipe 2 tcp from any $server_port to $internal_network
>
> The net.inet.ip.fw.one_pass=1 must be set if you want your traffic
> to pass from pipes and not continue at next rules....
>
> Sorry for my bad english....
>
>
>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe@freebsd.org"
Thank you very much. Even rejecting the requests by referer has only
lessened the impact on the system and we are occasionally rebooting.
It has not let up all night. I will implement. Thank you again.
Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A4AC2694-96D2-48DE-AE76-D1EE0319FC53>