Hi all,

  there is a better solution: ipfw and pipe.
  I´m working on a package that simplify the job, but it getting harder to
make flexible.

  Just load ipfw.ko and dummynet.ko.

  To control everyone in your LAN use this rules:

SUBNET="192.168.1.0/24"
LIMIT_PIPEIN="250Kbit/s"
LIMIT_PIPEOUT="250Kbit/s"
ipfw add pipe 100 ip from ${SUBNET} to any
ipfw add pipe 200 ip from any to ${SUBNET}
ipfw pipe 100 config mask src-ip 0x000000ff bw ${LIMIT_PIPEOUT}  queue 10
ipfw pipe 200 config mask dst-ip 0x000000ff bw ${LIMIT_PIPEIN} queue 10

  Just change the subnet and limit vars to your own needs.
  Remeber, the limit must be 30% less than real.

  If you put the whole band value, like "4Mbit/s" everyone will use this
upper limit.
  But if you want up to 15 people using this at same time without fighting
with each other about download rate, place the value "250Kbit/s".
  This will fix a hard limit around 25KB/s to every machine on your LAN.
  Remeber this, every machine not every connection.

  The great vilain today are p2p.
  With these setting no matter how many connections on machine do, the limit
you be respected.
  It´s transparent to user.

  Take a deep look on MASK and SUBNET.
  My sample uses a subnet with last OCTET open and the MASK will match the
last OCTET too.
  So the pipes will be dynamically created for every single IP from LAN,
starting from 1 to 254.

  Many pipes can be created as will wish.
  But the matching sequence is up-down.
  The first match pipe takes the control.

  Ex.: You wish to unlock one machine and others no.
         Place 2 pipes, one before 00100 and 00200.
         Like 00096 and 00097.

   Using the "ipfw show" command you will see this:

# ipfw show
00096   1979400   342455858 pipe 96 ip from 192.168.1.199 to any
00097   2614619  2089783809 pipe 97 ip from any to 192.168.1.199
00100  93382187 27428427675 pipe 100 ip from 192.168.1.0/24 to any
00200  96107581 63006151656 pipe 200 ip from any to 192.168.1.0/24
65535 178815274 89112098498 allow ip from any to any

  The numbers after pipe id are the counting bytes running thru the pipe.
  Using the "ipfw pipe show" command you will see how much the users are
trying to overflow your rule:

# ipfw pipe show
00100: 250.000 Mbit/s    0 ms   10 sl. 32 queues (64 buckets) droptail
    mask: 0x00 0x000000ff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
  0 ip         0.0.0.128/0             0.0.0.0/0     1538   261999  0    0
0
  2 ip          0.0.0.65/0             0.0.0.0/0       12      504  0    0
0
  4 ip           0.0.0.2/0             0.0.0.0/0     428723 204387674  0
0 5999
  6 ip         0.0.0.195/0             0.0.0.0/0     1958   333940  0    0
0
  8 ip           0.0.0.4/0             0.0.0.0/0     2252   275042  0    0
0
 10 ip           0.0.0.5/0             0.0.0.0/0       23      986  0    0
0
 12 ip           0.0.0.6/0             0.0.0.0/0     1325082 393705846  0
0 71262
 14 ip          0.0.0.71/0             0.0.0.0/0     2494   446546  0    0
0
 16 ip         0.0.0.104/0             0.0.0.0/0     113053  5149188  0
0   0
 18 ip           0.0.0.9/0             0.0.0.0/0     19386  3502548  0    0
33
 20 ip          0.0.0.10/0             0.0.0.0/0       25     2068  0    0
0
 22 ip          0.0.0.11/0             0.0.0.0/0     2408   560263  0    0
0
 24 ip         0.0.0.172/0             0.0.0.0/0     1267730 186456524  0
0 687
 26 ip          0.0.0.77/0             0.0.0.0/0     37047  2376900  0
0   0
 28 ip          0.0.0.78/0             0.0.0.0/0      717   138436  0    0
0
 30 ip         0.0.0.175/0             0.0.0.0/0     145990 25002406  0
0   0
 32 ip          0.0.0.80/0             0.0.0.0/0       15     4640  0    0
0
 34 ip         0.0.0.113/0             0.0.0.0/0     604247 82553217  0
0   4
 36 ip         0.0.0.178/0             0.0.0.0/0       41     3344  0    0
0
 38 ip         0.0.0.179/0             0.0.0.0/0     54740 29536883  0
0   0
 40 ip         0.0.0.180/0             0.0.0.0/0     22377  5160831  0
0   0
 42 ip          0.0.0.85/0             0.0.0.0/0        8      320  0    0
0
 44 ip          0.0.0.22/0             0.0.0.0/0       87    52470  0    0
0
 46 ip          0.0.0.87/0             0.0.0.0/0       36     9360  0    0
0
 48 ip         0.0.0.184/0             0.0.0.0/0     498850 106375209  0
0 186
 50 ip         0.0.0.185/0             0.0.0.0/0     282755 21496479  0
0  18
 52 ip         0.0.0.186/0             0.0.0.0/0     32043  2909375  0
0   5
 54 ip         0.0.0.187/0             0.0.0.0/0      134    22753  0    0
0
 56 ip         0.0.0.188/0             0.0.0.0/0     51862  8719019  0
0   1
 58 ip         0.0.0.253/0             0.0.0.0/0     2280   191520  0    0
0
 60 ip         0.0.0.254/0             0.0.0.0/0     24078  4307650  0
0   0
 62 ip         0.0.0.191/0             0.0.0.0/0     420445 84129550  0    0
10510
00200: 250.000 Mbit/s    0 ms   10 sl. 51 queues (64 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
  0 ip           0.0.0.0/0           0.0.0.128/0     1614  1639211  0    0
0
  1 ip           0.0.0.0/0           0.0.0.193/0     4146  1423068  0    0
0
  2 ip           0.0.0.0/0             0.0.0.2/0     499608 110165721  0
0   0
  3 ip           0.0.0.0/0           0.0.0.195/0     565597 542001439  0
0 616
  4 ip           0.0.0.0/0             0.0.0.4/0     5380   507328  0    0
0
  5 ip           0.0.0.0/0             0.0.0.5/0       42     2016  0    0
0
  6 ip           0.0.0.0/0             0.0.0.6/0     1778468 521251221  0
0  14
  7 ip           0.0.0.0/0            0.0.0.71/0     1353  1483972  0    0
0
  8 ip           0.0.0.0/0            0.0.0.72/0      422   342681  0    0
0
  9 ip           0.0.0.0/0             0.0.0.9/0     612960 94121018  0
0   2
 10 ip           0.0.0.0/0            0.0.0.10/0       54     3452  0    0
0
 11 ip           0.0.0.0/0            0.0.0.11/0     5676   613236  0    0
0
 13 ip           0.0.0.0/0            0.0.0.77/0     39431 57411576  0
0   0
 14 ip           0.0.0.0/0            0.0.0.78/0     843312 1053472608  0
0   3
 17 ip           0.0.0.0/0            0.0.0.81/0     204706 158179424  0
0   6
 18 ip           0.0.0.0/0            0.0.0.82/0     22483 31087242  0
0   0
 19 ip           0.0.0.0/0            0.0.0.83/0        4      192  0    0
0
 20 ip           0.0.0.0/0            0.0.0.84/0       28     1344  0    0
0
 21 ip           0.0.0.0/0            0.0.0.85/0       68     3264  0    0
0
 22 ip           0.0.0.0/0            0.0.0.86/0       12      576  0    0
0
 23 ip           0.0.0.0/0            0.0.0.87/0       40     1920  0    0
0
 25 ip           0.0.0.0/0           0.0.0.153/0     211070 239419017  0
0 107
 27 ip           0.0.0.0/0           0.0.0.219/0     167729 162480742  0
0   4
 28 ip           0.0.0.0/0           0.0.0.156/0     59815 60947589  0    0
84
 34 ip           0.0.0.0/0            0.0.0.98/0     111816 102888848  0
0   0
 35 ip           0.0.0.0/0            0.0.0.99/0     684097 500834043  0
0  31
 36 ip           0.0.0.0/0           0.0.0.100/0     5494  3666021  0    0
0
 37 ip           0.0.0.0/0           0.0.0.165/0        2       96  0    0
0
 38 ip           0.0.0.0/0           0.0.0.166/0     1786343 1561800683
0    0 834
 40 ip           0.0.0.0/0           0.0.0.104/0     144671 121344840  0
0   0
 41 ip           0.0.0.0/0           0.0.0.169/0     149936 108076810  0
0   0
 42 ip           0.0.0.0/0           0.0.0.106/0      484   508594  0    0
0
 43 ip           0.0.0.0/0           0.0.0.171/0     37009 19659460  0
0   3
 44 ip           0.0.0.0/0           0.0.0.172/0     5212405 6267682004
0    0 3989
 46 ip           0.0.0.0/0           0.0.0.110/0     712120 696809804  0
0  14
 47 ip           0.0.0.0/0           0.0.0.175/0     805743 917088747  0
0  25
 48 ip           0.0.0.0/0           0.0.0.112/0        3      156  0    0
0
 49 ip           0.0.0.0/0           0.0.0.113/0     473642 476308496  0
0 159
 50 ip           0.0.0.0/0           0.0.0.178/0      144   189095  0    0
0
 51 ip           0.0.0.0/0           0.0.0.179/0     784653 703058192  0
0 489
 52 ip           0.0.0.0/0           0.0.0.180/0     1061499 992725601  0
0 349
 53 ip           0.0.0.0/0           0.0.0.181/0     1028155 995858017  0
0 510
 55 ip           0.0.0.0/0           0.0.0.183/0     7284  1136112  0    0
0
 56 ip           0.0.0.0/0           0.0.0.184/0     719729 713345549  0
0 393
 57 ip           0.0.0.0/0           0.0.0.185/0     4234563 5775756563
0    0  26
 58 ip           0.0.0.0/0           0.0.0.186/0     12703  1598672  0
0   0
 59 ip           0.0.0.0/0           0.0.0.187/0     1081355 956160566  0
0 2411
 60 ip           0.0.0.0/0           0.0.0.188/0     361657 347005632  0
0 140
 61 ip           0.0.0.0/0           0.0.0.189/0     448630 353813772  0
0 168
 62 ip           0.0.0.0/0           0.0.0.254/0     13981  1004138  0
0   0
 63 ip           0.0.0.0/0           0.0.0.191/0     206388 138061610  0
0 247
00096:   4.000 Mbit/s    0 ms   10 sl. 1 queues (64 buckets) droptail
    mask: 0x00 0x000000ff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
 14 ip         0.0.0.199/0             0.0.0.0/0     1979399 342463774  0
0 670
00097:   4.000 Mbit/s    0 ms   10 sl. 1 queues (64 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
  7 ip           0.0.0.0/0           0.0.0.199/0     2614618 2090602386
0    0 2274

  As you guess, the last column is the drop byte count.

  And as wardriving tatics, you can use "pftop -v speed -o rate" command to
see the ip number of offending machines.
  Using a simple pipe you can drop the connection to a single safe limit and
leave other users in peace.
  You just need to place the pipe before others.

   I hope if this helps.

TIA,
Luiz Vaz

Reply via email to