bandwidth throttling?

[Dan Naumov]

Hello folks

I have a 8.0 system that has 2 IPs:

ifconfig em1
em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
options=19bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4
ether 00:25:90:01:32:93
inet 192.168.1.126 netmask 0xff00 broadcast 192.168.1.255
inet 192.168.1.127 netmask 0xff00 broadcast 192.168.1.255
media: Ethernet autoselect (1000baseT full-duplex)
status: active

The .126 is used by the host for various obvious things and I have a
jail on the same machine running off the .127 IP. Is there a quick and
easy way to have the jail host throttle bandwidth usage of everything
going to and out of the .127 jail? I don't really need anything fancy,
I just want to set hard limits for the entire jail globally, like
don't use more than 500KB/s downstream and more than 150KB/s
upstream. What would be the best way around doing this? My
understanding is that to do this with PF, I would need ALTQ meaning I
have to use a custom kernel and that IPFW with dummynet should have
similar functionality but should also work with GENERIC?

Thanks!

- Sincerely,
Dan Naumov
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Bandwidth Throttling under FreeBSD 6.x ...

[Marc G. Fournier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Finding alot of ancient stuff on Google, but they all seem to revolve around 
ipfw, which I believe isn't so heavily recommended anymore?

Can someone point me to a doc that talks about bandwidth throttling using, I'm 
guessing, pf, is the current?  Under FreeBSD 6.x?

Basically, what I want to do is leave everything open, but throttle one 
specific IP ...

Thanks ...

- 
Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email . [EMAIL PROTECTED]  MSN . [EMAIL PROTECTED]
Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFcHRG4QvfyHIvDvMRAhJmAKDG+mHuGaXPMSdSUs0+njT9PTKEPwCeLX25
ecqHmb6ct6uPTNfORYoD6zg=
=e9hH
-END PGP SIGNATURE-

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: Bandwidth Throttling under FreeBSD 6.x ...

[Michael K. Smith - Adhost]

Hello Mark:

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marc G.
Fournier
Sent: Friday, December 01, 2006 10:28 AM
To: freebsd-questions@freebsd.org
Subject: Bandwidth Throttling under FreeBSD 6.x ...

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Finding alot of ancient stuff on Google, but they all seem to revolve
around 
ipfw, which I believe isn't so heavily recommended anymore?

Can someone point me to a doc that talks about bandwidth throttling
using, I'm 
guessing, pf, is the current?  Under FreeBSD 6.x?

Basically, what I want to do is leave everything open, but throttle one 
specific IP ...

Thanks ...

- 
Marc G. Fournier   Hub.Org Networking Services
(http://www.hub.org)
Email . [EMAIL PROTECTED]  MSN .
[EMAIL PROTECTED]
Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
-BEGIN PGP SIGNATURE-


I think this is what you're looking for.  Specifically, using ALTQ in
conjunction with PF.

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.h
tml

Regards,

Mike
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Under Attack: Bandwidth throttling on 5.2.1?

[Panagiotis]

Chris wrote:


This is probably going to tax the memory. I'm sorry in advance.

We observed 2 hangs and 3 crashes in the last 5 hours and finally  
after looking at the nature of the traffic, it appears to be little  
infested windows spybots from all over targeting our forums to  
attempt to reply to all messages with gambling and other spam. The  
referer in every case is a few obvious spam sites. We measured 33  
pages per second and all invoking perl (well you can image the load).  
It's killed the system in several was I've never even seen. We  
shutdown on purpose for the first time in years which is pretty bad  
for business. I'm readying the quad opteron tyan to take down and  
shove in it's place since the T1 can't swamp it, but still building.  
The machine is a dual 3.0 xeon with 4G and Intel 1000/Pro on 5.2.1  
with IPFW enabled. If I can configure throttling on this old a  
system, we could come back up I think and try ride out the attack.  
I've never done this before but in an earlier thread I saw where you  
configure a pipe such as:


ipfw pipe 1 config bw 256Kbit/s
ipfw add pipe 1 tcp from 192.168.1.2 80

then set sysctl.conf
net.inet.ip.fw.one_pass=1

Is that is all that's necessary for this old a system or is there  
anything else. If this is correct, would this keep this fellow from  
crashing


To use traffic shaping with IPFW you have to compile the kernel with the 
following options:


options DUMMYNET
options HZ=1000

then you can add some lines like these to make your bandwidth limit to work:

#first flush all the previous pipes
ipfw -q -f pipe flush

ipfw pipe 1 config bw 256Kbit/s
ipfw add pipe 1 tcp from any to any

usually we use two pipes, one for download and one for upload so you can 
try something like this:



#first flush all the previous pipes
ipfw -q -f pipe flush

#upload bandwidth+download bandwidth=total bandwidth
#pipe for upload
ipfw pipe 1 config bw 128Kbit/s
#pipe for download
ipfw pipe 2 config bw 256Kbit/s

server_port=20,21,80,443,995,...,etc
internal_network=192.168.0.0

#config upload
ipfw add pipe 1 tcp from $internal_network to any $server_port
#config upload
ipfw add pipe 2 tcp from any $server_port to $internal_network

The variables server_port and internal_network are examples of 
course... :-)
If you are running natd on your machine the you have to put rules AFTER 
the divert natd rule like these:

ipfw add pipe 1 tcp from {external_ip} to any $server_port
ipfw add pipe 2 tcp from any $server_port to $internal_network

The net.inet.ip.fw.one_pass=1 must be set if you want your traffic to 
pass from pipes and not continue at next rules


Sorry for my bad english




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Under Attack: Bandwidth throttling on 5.2.1?

[Chris]

On Sep 14, 2006, at 12:53 PM, Panagiotis wrote:


Chris wrote:

...system, we could come back up I think and try ride out the  
attack.  I've never done this before but in an earlier thread I  
saw where you  configure a pipe such as:


ipfw pipe 1 config bw 256Kbit/s
ipfw add pipe 1 tcp from 192.168.1.2 80

then set sysctl.conf
net.inet.ip.fw.one_pass=1

Is that is all that's necessary for this old a system or is there   
anything else. If this is correct, would this keep this fellow  
from  crashing


To use traffic shaping with IPFW you have to compile the kernel  
with the following options:


options DUMMYNET
options HZ=1000

then you can add some lines like these to make your bandwidth limit  
to work:


#first flush all the previous pipes
ipfw -q -f pipe flush

ipfw pipe 1 config bw 256Kbit/s
ipfw add pipe 1 tcp from any to any

usually we use two pipes, one for download and one for upload so  
you can try something like this:



#first flush all the previous pipes
ipfw -q -f pipe flush

#upload bandwidth+download bandwidth=total bandwidth
#pipe for upload
ipfw pipe 1 config bw 128Kbit/s
#pipe for download
ipfw pipe 2 config bw 256Kbit/s

server_port=20,21,80,443,995,...,etc
internal_network=192.168.0.0

#config upload
ipfw add pipe 1 tcp from $internal_network to any $server_port
#config upload
ipfw add pipe 2 tcp from any $server_port to $internal_network

The variables server_port and internal_network are examples of  
course... :-)
If you are running natd on your machine the you have to put rules  
AFTER the divert natd rule like these:

ipfw add pipe 1 tcp from {external_ip} to any $server_port
ipfw add pipe 2 tcp from any $server_port to $internal_network

The net.inet.ip.fw.one_pass=1 must be set if you want your traffic  
to pass from pipes and not continue at next rules


Sorry for my bad english




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions- 
[EMAIL PROTECTED]



Thank you very much. Even rejecting the requests by referer has only  
lessened the impact on the system and we are occasionally rebooting.  
It has not let up all night. I will implement. Thank you again.


Chris 
___

freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw - bandwidth throttling (sanity check!)

[RW]

On Wednesday 13 September 2006 06:25, Odhiambo Washington wrote:
 * On 12/09/06 22:13 +0100, RW wrote:
 | On Tuesday 12 September 2006 20:49, Odhiambo Washington wrote:
 |  Hello Security guy ;)
 | 
 |  I have tried very hard to understand ipfw just for the purpose of
 |  bandwidth throttling for smtp service.
 | 
 |  Basically, I want to throttle the bandwidth used by my SMTP
 |  server outbound to _anyone_ else except my ip blocks.
 | 
 |  My Server is 1.2.3.4 and my ip blocks are a.b.c.d/19 and
 |  e.f.g.h/20
 | 
 | 
 |  Are the following rules sane enough?
 | 
 |  ipfw pipe 1 config bw 256Kbit/s
 |  ipfw add pipe 1 tcp from 1.2.3.4 to not a.b.c.d/19 25
 |  ipfw add pipe 1 tcp from 1.2.3.4 to not e.f.g.h/20 25
 |
 | This queues all outgoing smtp to the pipe.
 |
 | You also need to set  net.inet.ip.fw.one_pass=1 to avoid the packets
 | re-entering the rules on the next line.  Setting that means that the
 | packets cannot pass through dynamic rules. It is possible to use dynamic
 | rules with dummynet, but it's a pain.

 Thank you so much for clarifying that. What I wanted to be clarified is
 if it is true that smtp traffic to a.b.c.d/19 and e.f.g.h/20 is NOT
 being put through this pipe..

The logic you have is: 

(NOT in range a.b.c.d/19) OR (NOT in range e.f.g.h/20)

what you want is:

NOT  ( in range a.b.c.d/19 OR in range e.f.g.h/2 )

I'm a bit rusty with IPFW, but you can probably specify multiple address 
blocks in one statement - have a look at the man page.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Under Attack: Bandwidth throttling on 5.2.1?

[Chris]

This is probably going to tax the memory. I'm sorry in advance.

We observed 2 hangs and 3 crashes in the last 5 hours and finally  
after looking at the nature of the traffic, it appears to be little  
infested windows spybots from all over targeting our forums to  
attempt to reply to all messages with gambling and other spam. The  
referer in every case is a few obvious spam sites. We measured 33  
pages per second and all invoking perl (well you can image the load).  
It's killed the system in several was I've never even seen. We  
shutdown on purpose for the first time in years which is pretty bad  
for business. I'm readying the quad opteron tyan to take down and  
shove in it's place since the T1 can't swamp it, but still building.  
The machine is a dual 3.0 xeon with 4G and Intel 1000/Pro on 5.2.1  
with IPFW enabled. If I can configure throttling on this old a  
system, we could come back up I think and try ride out the attack.  
I've never done this before but in an earlier thread I saw where you  
configure a pipe such as:


ipfw pipe 1 config bw 256Kbit/s
ipfw add pipe 1 tcp from 192.168.1.2 80

then set sysctl.conf
net.inet.ip.fw.one_pass=1

Is that is all that's necessary for this old a system or is there  
anything else. If this is correct, would this keep this fellow from  
crashing. 
___

freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

ipfw - bandwidth throttling (sanity check!)

[Odhiambo Washington]

Hello Security guy ;)

I have tried very hard to understand ipfw just for the purpose of
bandwidth throttling for smtp service.

Basically, I want to throttle the bandwidth used by my SMTP
server outbound to _anyone_ else except my ip blocks.

My Server is 1.2.3.4 and my ip blocks are a.b.c.d/19 and
e.f.g.h/20


Are the following rules sane enough?

ipfw pipe 1 config bw 256Kbit/s
ipfw add pipe 1 tcp from 1.2.3.4 to not a.b.c.d/19 25
ipfw add pipe 1 tcp from 1.2.3.4 to not e.f.g.h/20 25


Any smtp traffic not to these netblocks should be throttled.
By that, I am thinking it will match everything smtp outbound
only, not inbound.


Thank you for your time.


-Wash

http://www.netmeister.org/news/learn2quote.html

DISCLAIMER: See http://www.wananchi.com/bms/terms.php

--
+==+
|\  _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED]
Zzz /,`.-'`'-.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_) | GSM: +254 722 743223   +254 733 744121
+==+

Don't put off for tomorrow what you can do today, because if you enjoy
it today you can do it again tomorrow.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw - bandwidth throttling (sanity check!)

[RW]

On Tuesday 12 September 2006 20:49, Odhiambo Washington wrote:
 Hello Security guy ;)

 I have tried very hard to understand ipfw just for the purpose of
 bandwidth throttling for smtp service.

 Basically, I want to throttle the bandwidth used by my SMTP
 server outbound to _anyone_ else except my ip blocks.

 My Server is 1.2.3.4 and my ip blocks are a.b.c.d/19 and
 e.f.g.h/20


 Are the following rules sane enough?

 ipfw pipe 1 config bw 256Kbit/s
 ipfw add pipe 1 tcp from 1.2.3.4 to not a.b.c.d/19 25
 ipfw add pipe 1 tcp from 1.2.3.4 to not e.f.g.h/20 25

This queues all outgoing smtp to the pipe. 

You also need to set  net.inet.ip.fw.one_pass=1 to avoid the packets 
re-entering the rules on the next line.  Setting that means that the packets 
cannot pass through dynamic rules. It is possible to use dynamic rules with 
dummynet, but it's a pain.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw - bandwidth throttling (sanity check!)

[Odhiambo Washington]

* On 12/09/06 22:13 +0100, RW wrote:
| On Tuesday 12 September 2006 20:49, Odhiambo Washington wrote:
|  Hello Security guy ;)
| 
|  I have tried very hard to understand ipfw just for the purpose of
|  bandwidth throttling for smtp service.
| 
|  Basically, I want to throttle the bandwidth used by my SMTP
|  server outbound to _anyone_ else except my ip blocks.
| 
|  My Server is 1.2.3.4 and my ip blocks are a.b.c.d/19 and
|  e.f.g.h/20
| 
| 
|  Are the following rules sane enough?
| 
|  ipfw pipe 1 config bw 256Kbit/s
|  ipfw add pipe 1 tcp from 1.2.3.4 to not a.b.c.d/19 25
|  ipfw add pipe 1 tcp from 1.2.3.4 to not e.f.g.h/20 25
| 
| This queues all outgoing smtp to the pipe. 
| 
| You also need to set  net.inet.ip.fw.one_pass=1 to avoid the packets 
| re-entering the rules on the next line.  Setting that means that the packets 
| cannot pass through dynamic rules. It is possible to use dynamic rules with 
| dummynet, but it's a pain.

Thank you so much for clarifying that. What I wanted to be clarified is
if it is true that smtp traffic to a.b.c.d/19 and e.f.g.h/20 is NOT
being put through this pipe..

net.inet.ip.fw.one_pass=1 seems to be the default on my system. Not sure
why, but I will RTFM about it.


-Wash

http://www.netmeister.org/news/learn2quote.html

DISCLAIMER: See http://www.wananchi.com/bms/terms.php

--
+==+
|\  _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED]
Zzz /,`.-'`'-.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_) | GSM: +254 722 743223   +254 733 744121
+==+

If only one could get that wonderful feeling of accomplishment without
having to accomplish anything.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Bandwidth throttling

[Andrew Spott]

I'm interested in setting up a system that will give one person a guarenteed
amount of bandwidth.  For example.  If everyone of the network is using the
internet, he is guarenteed a certain amount of bandwidth, but only if he is
using it.  Basically, I want to give him priority on a certain amount of
bandwidth, but have the rest of it up for grabs.

Is this possible? and if so, where can I get more information on how to do
it?

-Andrew
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Bandwidth throttling

[Hugo Silva]

Andrew Spott wrote:

I'm interested in setting up a system that will give one person a guarenteed
amount of bandwidth.  For example.  If everyone of the network is using the
internet, he is guarenteed a certain amount of bandwidth, but only if he is
using it.  Basically, I want to give him priority on a certain amount of
bandwidth, but have the rest of it up for grabs.

Is this possible? and if so, where can I get more information on how to do
it?

-Andrew
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
  


See http://www.openbsd.org/faq/pf/queueing.html

Regards,

Hugo
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

bandwidth throttling for a particlarport for FTP server

[Jamie Grunewald]

hi,

I'm fairly new to FreeBSD and I hope this is the
proper group to post this question.

I'm setting up a FTP server on FreeBSD 5.1 to be
accessed by a select number of people.  Is there a way
to limit the amount of bandwidth that would allocated
(e.g. I don't want to use the full 768kb/s (internet
connection max)) for my FTP port?  I have multiple
systems on my home LAN, the reason for limiting my
bandwidth for FTP purposes.  I do have a router with
an active firewall.

Thanks
james

__
Do you Yahoo!?
Yahoo! Hotjobs: Enter the Signing Bonus Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: bandwidth throttling for a particlarport for FTP server

[Nelis Lamprecht]

On Thu, 2004-01-08 at 11:37, Jamie Grunewald wrote:
 hi,
 
 I'm fairly new to FreeBSD and I hope this is the
 proper group to post this question.
 
 I'm setting up a FTP server on FreeBSD 5.1 to be
 accessed by a select number of people.  Is there a way
 to limit the amount of bandwidth that would allocated
 (e.g. I don't want to use the full 768kb/s (internet
 connection max)) for my FTP port?  I have multiple
 systems on my home LAN, the reason for limiting my
 bandwidth for FTP purposes.  I do have a router with
 an active firewall.
 
 Thanks
 james

Hi,

By using ipfw(8) and dummynet(4) you can artificially limit the amount
of bandwidth used for a specific network/port. The man pages for ipfw(8)
contain some useful examples on how to configure and use this.

Another method would be to use a FTP Server that supports bandwidth
throttling eg. ProFTPD ( www.proftpd.org ) 
It has variables like RateWriteBPS, RateReadBPS etc which you can
configure to suit your bandwidth requirements.

Regards,

-- 
Nelis Lamprecht
PGP: http://www.8ball.co.za/pgp/nelis.key
Unix IS user friendly.. It's just selective about who its friends are.


signature.asc
Description: This is a digitally signed message part