Re: throttle traffic by amount of time or amount of used traffic in GB?
On 2013-04-12 1:34 AM, Sebastian Singer wrote: Just one thing: Please stick to the technical focus of the question. Educational advice need not be given as I have received enough of it in the past already. And as far as I have seen and heard I am not the only father having to deal with these kind of problems. Thank you. Sebastian, On our family Windows box, I use this to limit the time on the computer and ensure fair use: http://www.timesupkidz.com/ It can be set to allow 1/2 hour of use and force a 15 minute break, for example. It also has time of day restrictions. You mention WoW and Minecraft, so windows use is a fair assumption here. To use PF to enforce restrictions, you could have Cron update a PF table and add or remove all the ip's (the xbox, tablet, windows box, etc) based on the time of day. Once you've got the table in place, you can either do blocking rules (no access to WoW server for ips in the table), or altq rules (throttle access to a list of IPs from the table). A shell/perl/whatever script run from cron could also be used to parse tally data used by IP from PF. Assuming you have a table called internal listing all your IPs on your lan, the following command shows how much data has been used per ip: pfctl -v -t internal -Tshow 192.168.1.12 Cleared: Fri Apr 12 08:13:16 2013 In/Block:[ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 125Bytes: 9395 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass:[ Packets: 91 Bytes: 6460 ] AuthPF can be used to further alter pf rules, requiring your son to log in to the gateway using ssh: http://www.openbsd.org/faq/pf/authpf.html PuTTy for windows has an ssh-agent, so it should be possible to quietly log him in to the gateway from his windows account by adding it to his startup folder. Look at plink and pagent commands http://the.earth.li/~sgtatham/putty/ Hope that helps. ~~ Kirk
Re: throttle traffic by amount of time or amount of used traffic in GB?
Hi Kirk, Hi Peter, Thank you both for your quick and inspiring answers. I think I will first try setting up a table and continue with scripting around pfctl -vt tablename -T show as proposed by both of you.If I run into problems I will have a go at the solution with labels. Yours, Sebastian PS: @ Peter: your book is amazing. If I hadn't purchased it already I would have asked for a signed copy :-) S. ursprüngliche Nachricht- Von: Kirk Ismay k...@ismay.ca An: Sebastian Singer sebastian.sin...@kesslar.de Kopie: pf benzedrine.cx Datum: Fri, 12 Apr 2013 10:23:47 -0700 - On 2013-04-12 1:34 AM, Sebastian Singer wrote: Just one thing: Please stick to the technical focus of the question. Educational advice need not be given as I have received enough of it in the past already. And as far as I have seen and heard I am not the only father having to deal with these kind of problems. Thank you. Sebastian, On our family Windows box, I use this to limit the time on the computer and ensure fair use: http://www.timesupkidz.com/ It can be set to allow 1/2 hour of use and force a 15 minute break, for example. It also has time of day restrictions. You mention WoW and Minecraft, so windows use is a fair assumption here. To use PF to enforce restrictions, you could have Cron update a PF table and add or remove all the ip's (the xbox, tablet, windows box, etc) based on the time of day. Once you've got the table in place, you can either do blocking rules (no access to WoW server for ips in the table), or altq rules (throttle access to a list of IPs from the table). A shell/perl/whatever script run from cron could also be used to parse tally data used by IP from PF. Assuming you have a table called internal listing all your IPs on your lan, the following command shows how much data has been used per ip: pfctl -v -t internal -Tshow 192.168.1.12 Cleared: Fri Apr 12 08:13:16 2013 In/Block: [ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 125 Bytes: 9395 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 91 Bytes: 6460 ] AuthPF can be used to further alter pf rules, requiring your son to log in to the gateway using ssh: http://www.openbsd.org/faq/pf/authpf.html PuTTy for windows has an ssh-agent, so it should be possible to quietly log him in to the gateway from his windows account by adding it to his startup folder. Look at plink and pagent commands http://the.earth.li/~sgtatham/putty/ Hope that helps. ~ Kirk --
Re: throttle traffic by amount of time or amount of used traffic in GB?
Sebastian Singer sebastian.sin...@kesslar.de writes: So I do not want to cut him off the internet completely, just limit his bandwidth so much that he is throttled if he has reached a set time limit or else if he reaches a certain amount of gb used. So the question is: is pf (ALTQ especially) able to cope with these requirements? And if how would such rules in pf.conf look? I am by far no pf guru but have run a OpenBSD SOHO server for about 10 years. So I think I do have a basic unterstanding of pf matters. Most if not all queueing options that come to mind (mostly the hfsc ones) only operate on a per connection (per state) level, but it's possible to collect statistics on traffic from a specific IP address, either via rules with labels (see eg [1] onwards) or if the address is part of a table, from the statistics collected on table entries, ie do a pfctl -vt tablename -T show and you'll get something like this per table entry: 219.142.91.125 Cleared:Mon Apr 1 14:54:30 2013 In/Block: [ Packets: 874Bytes: 51983 ] In/Pass:[ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 0 Bytes: 0 ] You could then whip up a script that parses either that or pfctl -vsl output for the labels scenario and if your rules assign traffic to queues based on membership in tables, have your script shift the source address to the table whose traffic gets assigned to a smaller bandwidth queue, and run your script at short intervals from a system crontab. Or in a 'no online games after 10 PM' or similar scenario, have a slightly simpler script do the tables shuffling at a specific time (again assuming you slice your traffic according to table membership). Off the top of my head, I think those are the most workable options, I hope this was a tiny bit helpful. - Peter [1] http://home.nuug.no/~peter/pf/newest/labelstats.html and also covered in The Book of PF (http://nostarch.com/pf2.htm and at better bookstores) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: throttle traffic by amount of time or amount of used traffic in GB?
On 04/12/2013 04:11:47 PM, Sebastian Singer wrote: Hi Kirk, Hi Peter, Thank you both for your quick and inspiring answers. I think I will first try setting up a table and continue with scripting around pfctl -vt tablename -T show as proposed by both of you.If I run into problems I will have a go at the solution with labels. For a completely general solution you could try logging with pf and scripting something with, say, swatch/pfctl that either changes tables or reloads anchors. Regards, Karl k...@meme.com Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
