On Fri, Apr 06, 2007 at 09:38:31PM +0100, Jan Mulders wrote: > parties for example), and that's done just fine. If someone's hogging all > the bandwidth, add a DROP rule for their IP address on all protocols (DROP > net lan:11.22.33.44 all - - if I remember correctly), restart shorewall > (or you can learn how to manually add DROP-style rules to iptables, which > doesn't require a shorewall restart which can sometimes interrupt traffic), > and wait for the wailing and gnashing of teeth.
The command to remember is: ip route add prohibit 1.2.3.4 The routing table is massively more efficient than netfilter (O(log log N) instead of O(N)), and this arranges for everybody to automatically get the right error messages - remote hosts get ICMP "communication administratively prohibited". As a general rule, if something can be done with the routing table, it should be done there. Netfilter is stupid and slow by comparison (although it can do far more weird stuff, like NAT). ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
