Re: throttle traffic by amount of time or amount of used traffic in GB?

2013-04-13 Thread Kirk Ismay

On 2013-04-12 1:34 AM, Sebastian Singer wrote:


Just one thing: Please stick to the technical focus of the question. 
Educational advice need not be given as I have received enough of it 
in the past already. And as far as I have seen and heard I am not the 
only father having to deal with these kind of problems. Thank you.

Sebastian,

On our family Windows box, I use this to limit the time on the computer 
and ensure fair use:

http://www.timesupkidz.com/

It can be set to allow 1/2 hour of use and force a 15 minute break, for 
example. It also has time of day restrictions.  You mention WoW and 
Minecraft, so windows use is a fair assumption here.


To use PF to enforce restrictions, you could have Cron update a PF table 
and add or remove all the ip's (the xbox, tablet, windows box, etc) 
based on the time of day. Once you've got the table in place, you can 
either do blocking rules (no access to WoW server for ips in the table), 
or altq rules (throttle access to a list of IPs from the table).


A shell/perl/whatever script run from cron could also be used to parse  
tally data used by IP from PF.  Assuming you have a table called 
internal listing all your IPs on your lan, the following command shows 
how much data has been used per ip:


pfctl -v -t internal -Tshow
192.168.1.12
Cleared: Fri Apr 12 08:13:16 2013
In/Block:[ Packets: 0  Bytes: 
0  ]
In/Pass: [ Packets: 125Bytes: 
9395   ]
Out/Block:   [ Packets: 0  Bytes: 
0  ]
Out/Pass:[ Packets: 91 Bytes: 
6460   ]



AuthPF can be used to further alter pf rules, requiring your son to log 
in to the gateway using ssh:

http://www.openbsd.org/faq/pf/authpf.html

PuTTy for windows has an ssh-agent, so it should be possible to quietly 
log him in to the gateway from his windows account by adding it to his 
startup folder. Look at plink and pagent commands

http://the.earth.li/~sgtatham/putty/

Hope that helps.

~~ Kirk


Re: throttle traffic by amount of time or amount of used traffic in GB?

2013-04-13 Thread Sebastian Singer
Hi Kirk,
Hi Peter,

Thank you both for your quick and inspiring answers. I think I will first try 
setting up a table and continue with scripting around pfctl -vt tablename -T 
show as proposed by both of you.If I run into problems I will have a go at the 
solution with labels.

Yours,
Sebastian

PS: @ Peter: your book is amazing. If I hadn't purchased it already I would 
have asked for a signed copy :-)
S.
 
urspr√ľngliche Nachricht-
Von: Kirk Ismay k...@ismay.ca 
An: Sebastian Singer sebastian.sin...@kesslar.de 
Kopie: pf benzedrine.cx 
Datum: Fri, 12 Apr 2013 10:23:47 -0700
-
 
 
 On 2013-04-12 1:34 AM, Sebastian Singer wrote:

 Just one thing: Please stick to the technical focus of the question. 
 Educational advice need not be given as I have received enough of it 
 in the past already. And as far as I have seen and heard I am not the 
 only father having to deal with these kind of problems. Thank you.
 Sebastian,
 
 On our family Windows box, I use this to limit the time on the computer 
 and ensure fair use:
 http://www.timesupkidz.com/
 
 It can be set to allow 1/2 hour of use and force a 15 minute break, for 
 example. It also has time of day restrictions. You mention WoW and 
 Minecraft, so windows use is a fair assumption here.
 
 To use PF to enforce restrictions, you could have Cron update a PF table 
 and add or remove all the ip's (the xbox, tablet, windows box, etc) 
 based on the time of day. Once you've got the table in place, you can 
 either do blocking rules (no access to WoW server for ips in the table), 
 or altq rules (throttle access to a list of IPs from the table).
 
 A shell/perl/whatever script run from cron could also be used to parse  
 tally data used by IP from PF. Assuming you have a table called 
 internal listing all your IPs on your lan, the following command shows 
 how much data has been used per ip:
 
 pfctl -v -t internal -Tshow
 192.168.1.12
 Cleared: Fri Apr 12 08:13:16 2013
 In/Block: [ Packets: 0 Bytes: 
 0 ]
 In/Pass: [ Packets: 125 Bytes: 
 9395 ]
 Out/Block: [ Packets: 0 Bytes: 
 0 ]
 Out/Pass: [ Packets: 91 Bytes: 
 6460 ]
 
 
 AuthPF can be used to further alter pf rules, requiring your son to log 
 in to the gateway using ssh:
 http://www.openbsd.org/faq/pf/authpf.html
 
 PuTTy for windows has an ssh-agent, so it should be possible to quietly 
 log him in to the gateway from his windows account by adding it to his 
 startup folder. Look at plink and pagent commands
 http://the.earth.li/~sgtatham/putty/
 
 Hope that helps.
 
 ~ Kirk
 

-- 





Re: throttle traffic by amount of time or amount of used traffic in GB?

2013-04-13 Thread Peter N. M. Hansteen
Sebastian Singer sebastian.sin...@kesslar.de writes:

 So I do not want to cut him off the internet completely,  just limit
 his bandwidth so much that he is throttled if he has reached a set
 time limit or else if he reaches a certain amount of gb used.

 So the question is: is pf (ALTQ especially) able to cope with these
 requirements? And if how would such rules in pf.conf look? I am by far
 no pf guru but have run a OpenBSD SOHO server for about 10 years. So I
 think I do have a basic unterstanding of pf matters.

Most if not all queueing options that come to mind (mostly the hfsc
ones) only operate on a per connection (per state) level, but it's
possible to collect statistics on traffic from a specific IP address,
either via rules with labels (see eg [1] onwards) or if the address is
part of a table, from the statistics collected on table entries, ie do a
pfctl -vt tablename -T show and you'll get something like this per table
entry:

   219.142.91.125
Cleared:Mon Apr  1 14:54:30 2013
In/Block:   [ Packets: 874Bytes: 51983  
]
In/Pass:[ Packets: 0  Bytes: 0  
]
Out/Block:  [ Packets: 0  Bytes: 0  
]
Out/Pass:   [ Packets: 0  Bytes: 0  
]

You could then whip up a script that parses either that or pfctl -vsl
output for the labels scenario and if your rules assign traffic to
queues based on membership in tables, have your script shift the source
address to the table whose traffic gets assigned to a smaller bandwidth
queue, and run your script at short intervals from a system crontab.

Or in a 'no online games after 10 PM' or similar scenario, have a
slightly simpler script do the tables shuffling at a specific time
(again assuming you slice your traffic according to table membership).

Off the top of my head, I think those are the most workable options, I
hope this was a tiny bit helpful.

- Peter

[1] http://home.nuug.no/~peter/pf/newest/labelstats.html and also
covered in The Book of PF (http://nostarch.com/pf2.htm and at 
better bookstores)

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.


Re: throttle traffic by amount of time or amount of used traffic in GB?

2013-04-13 Thread Karl O. Pinc
On 04/12/2013 04:11:47 PM, Sebastian Singer wrote:
 Hi Kirk,
 Hi Peter,
 
 Thank you both for your quick and inspiring answers. I think I will
 first try setting up a table and continue with scripting around pfctl
 -vt tablename -T show as proposed by both of you.If I run into
 problems I will have a go at the solution with labels.

For a completely general solution you could try logging with pf
and scripting something with, say, swatch/pfctl that either 
changes tables or reloads anchors.

Regards,

Karl k...@meme.com
Free Software:  You don't pay back, you pay forward.
 -- Robert A. Heinlein