Date: Wed, 9 Jan 2002 01:58:23 -0500 From: Paul Chvostek <paul+isp@it.ca> To: isp-webhosting@isp-webhosting.com, freebsd-isp@FreeBSD.ORG Subject: Re: Restricting Users Geographically Message-ID: <20020109015823.A25751@mail.it.ca> In-Reply-To: <5.1.0.14.2.20020108234616.02a93008@mailbox.samurai.com>; from dev@samurai.com on Tue, Jan 08, 2002 at 11:54:29PM -0500 References: <JAEEIJKIHAONENKPFCCPMEPGCBAA.dev@samurai.com> <Pine.BSF.4.05.10201071857450.29300-100000@misery.sdf.com> <JAEEIJKIHAONENKPFCCPMEPGCBAA.dev@samurai.com> <20020109121814.E13438@webjump.national.com.au> <5.1.0.14.2.20020108234616.02a93008@mailbox.samurai.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 08, 2002 at 11:54:29PM -0500, Blake Crosby wrote: > > The thing that bothers me is this...My webserver has a finite of resources. > When someone, say, from Japan (which there are three mirrors for) access > the mirror, they are using resources for potential Canadians to use. Potential Canadians (as well as established ones) are equally free to use a Japanese mirror if the resources of a local one are full. Most mirrors put limits on the number of simultaneous connections. You could too. And if a Canadian can't grab data from your host, he'll check for another that's less full. The reality of the 'Net is that physical location often bears little on how "close" hosts are to each other. It was worse years ago, but I still see traceroutes across town that go through three or four US cities, and traceroutes to other continents with hop counts in the single digits. > I want to contribute to the project, but I cannot afford hundreds of > dollars a month to keep the mirror up Good point. That reminds me.... ;-) > - so I bandwidth limited traffic. So > not only are server resources being taxed by non Candians, bandwidth is as > well. Very patriotic, but why would it be more appropriate for you to serve content to a Sprint-connected host in Kelowna than a Reptiles-connected host in Pakistan? The distribution of resources, if done using any mechanism besides random chance, should be done in such a way as to reduce overall traffic. > This way, Canadians have exclusive access to the mirror. (well anyone with > a .com .net .org .edu domain name as well). The non canadians can use one > of the many mirrors in the USA or their home country. And hosts without valid reverse DNS are presumably out of luck as well. The bandwidth limitation idea seemed like a good one. You're running FreeBSD, right? (Lemme check the console ... yeah.) So do some of your own traffic shaping. If you want a dedicated IP address for your mirror, ask your ISP; they can certainly accomodate your request, perhaps even at no charge. Then use do something like: ipfw pipe 10 config bw 64 kbps ipfw add 250 add pipe 10 ip from www2.ca.postgresql.org to 210.0.0.0/7 out ipfw add 250 add pipe 10 ip from www2.ca.postgresql.org to 193.0.0.0/8 out ipfw add 250 add pipe 10 ip from www2.ca.postgresql.org to 194.0.0.0/7 out etc. I'm sure that with a little research in your logs (or at ARIN et al) you will have the bulk of the overseas stuff covered. Alternately.... For every inbound connection, let 'em log on and start some traffic. For every new connection, launch a background process which looks up the IP address at whois.ra.net and whois.arin.net. Take the first line from ra.net with the word "origin:", and that's supposed to be the AS number that's responsible for routing. Look up that ASN at whois.arin.net, and if the result does not include the regexp /\<C(A|anada)\>/, null route 'em. Or ipfw deny their traffic. And store the result in a local db for quicker lookup next time that host connects. (Don't just store the IP, instead store the CIDR block that was given in the first line of output from whois.ra.net.) And if after all that you feel that the time to develop all this has been well spent, you must be paying too much for your bandwidth. ;-) -- Paul Chvostek <paul@it.ca> Operations / Development / Abuse / Whatever vox: +1 416 598-0000 it.canada http://www.it.ca/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020109015823.A25751>