Hi all,
there is a better solution: ipfw and pipe.
I´m working on a package that simplify the job, but it getting harder to
make flexible.
Just load ipfw.ko and dummynet.ko.
To control everyone in your LAN use this rules:
SUBNET="192.168.1.0/24"
LIMIT_PIPEIN="250Kbit/s"
LIMIT_PIPEOUT="250Kbit/s"
ipfw add pipe 100 ip from ${SUBNET} to any
ipfw add pipe 200 ip from any to ${SUBNET}
ipfw pipe 100 config mask src-ip 0x000000ff bw ${LIMIT_PIPEOUT} queue 10
ipfw pipe 200 config mask dst-ip 0x000000ff bw ${LIMIT_PIPEIN} queue 10
Just change the subnet and limit vars to your own needs.
Remeber, the limit must be 30% less than real.
If you put the whole band value, like "4Mbit/s" everyone will use this
upper limit.
But if you want up to 15 people using this at same time without fighting
with each other about download rate, place the value "250Kbit/s".
This will fix a hard limit around 25KB/s to every machine on your LAN.
Remeber this, every machine not every connection.
The great vilain today are p2p.
With these setting no matter how many connections on machine do, the limit
you be respected.
It´s transparent to user.
Take a deep look on MASK and SUBNET.
My sample uses a subnet with last OCTET open and the MASK will match the
last OCTET too.
So the pipes will be dynamically created for every single IP from LAN,
starting from 1 to 254.
Many pipes can be created as will wish.
But the matching sequence is up-down.
The first match pipe takes the control.
Ex.: You wish to unlock one machine and others no.
Place 2 pipes, one before 00100 and 00200.
Like 00096 and 00097.
Using the "ipfw show" command you will see this:
# ipfw show
00096 1979400 342455858 pipe 96 ip from 192.168.1.199 to any
00097 2614619 2089783809 pipe 97 ip from any to 192.168.1.199
00100 93382187 27428427675 pipe 100 ip from 192.168.1.0/24 to any
00200 96107581 63006151656 pipe 200 ip from any to 192.168.1.0/24
65535 178815274 89112098498 allow ip from any to any
The numbers after pipe id are the counting bytes running thru the pipe.
Using the "ipfw pipe show" command you will see how much the users are
trying to overflow your rule:
# ipfw pipe show
00100: 250.000 Mbit/s 0 ms 10 sl. 32 queues (64 buckets) droptail
mask: 0x00 0x000000ff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
0 ip 0.0.0.128/0 0.0.0.0/0 1538 261999 0 0
0
2 ip 0.0.0.65/0 0.0.0.0/0 12 504 0 0
0
4 ip 0.0.0.2/0 0.0.0.0/0 428723 204387674 0
0 5999
6 ip 0.0.0.195/0 0.0.0.0/0 1958 333940 0 0
0
8 ip 0.0.0.4/0 0.0.0.0/0 2252 275042 0 0
0
10 ip 0.0.0.5/0 0.0.0.0/0 23 986 0 0
0
12 ip 0.0.0.6/0 0.0.0.0/0 1325082 393705846 0
0 71262
14 ip 0.0.0.71/0 0.0.0.0/0 2494 446546 0 0
0
16 ip 0.0.0.104/0 0.0.0.0/0 113053 5149188 0
0 0
18 ip 0.0.0.9/0 0.0.0.0/0 19386 3502548 0 0
33
20 ip 0.0.0.10/0 0.0.0.0/0 25 2068 0 0
0
22 ip 0.0.0.11/0 0.0.0.0/0 2408 560263 0 0
0
24 ip 0.0.0.172/0 0.0.0.0/0 1267730 186456524 0
0 687
26 ip 0.0.0.77/0 0.0.0.0/0 37047 2376900 0
0 0
28 ip 0.0.0.78/0 0.0.0.0/0 717 138436 0 0
0
30 ip 0.0.0.175/0 0.0.0.0/0 145990 25002406 0
0 0
32 ip 0.0.0.80/0 0.0.0.0/0 15 4640 0 0
0
34 ip 0.0.0.113/0 0.0.0.0/0 604247 82553217 0
0 4
36 ip 0.0.0.178/0 0.0.0.0/0 41 3344 0 0
0
38 ip 0.0.0.179/0 0.0.0.0/0 54740 29536883 0
0 0
40 ip 0.0.0.180/0 0.0.0.0/0 22377 5160831 0
0 0
42 ip 0.0.0.85/0 0.0.0.0/0 8 320 0 0
0
44 ip 0.0.0.22/0 0.0.0.0/0 87 52470 0 0
0
46 ip 0.0.0.87/0 0.0.0.0/0 36 9360 0 0
0
48 ip 0.0.0.184/0 0.0.0.0/0 498850 106375209 0
0 186
50 ip 0.0.0.185/0 0.0.0.0/0 282755 21496479 0
0 18
52 ip 0.0.0.186/0 0.0.0.0/0 32043 2909375 0
0 5
54 ip 0.0.0.187/0 0.0.0.0/0 134 22753 0 0
0
56 ip 0.0.0.188/0 0.0.0.0/0 51862 8719019 0
0 1
58 ip 0.0.0.253/0 0.0.0.0/0 2280 191520 0 0
0
60 ip 0.0.0.254/0 0.0.0.0/0 24078 4307650 0
0 0
62 ip 0.0.0.191/0 0.0.0.0/0 420445 84129550 0 0
10510
00200: 250.000 Mbit/s 0 ms 10 sl. 51 queues (64 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
0 ip 0.0.0.0/0 0.0.0.128/0 1614 1639211 0 0
0
1 ip 0.0.0.0/0 0.0.0.193/0 4146 1423068 0 0
0
2 ip 0.0.0.0/0 0.0.0.2/0 499608 110165721 0
0 0
3 ip 0.0.0.0/0 0.0.0.195/0 565597 542001439 0
0 616
4 ip 0.0.0.0/0 0.0.0.4/0 5380 507328 0 0
0
5 ip 0.0.0.0/0 0.0.0.5/0 42 2016 0 0
0
6 ip 0.0.0.0/0 0.0.0.6/0 1778468 521251221 0
0 14
7 ip 0.0.0.0/0 0.0.0.71/0 1353 1483972 0 0
0
8 ip 0.0.0.0/0 0.0.0.72/0 422 342681 0 0
0
9 ip 0.0.0.0/0 0.0.0.9/0 612960 94121018 0
0 2
10 ip 0.0.0.0/0 0.0.0.10/0 54 3452 0 0
0
11 ip 0.0.0.0/0 0.0.0.11/0 5676 613236 0 0
0
13 ip 0.0.0.0/0 0.0.0.77/0 39431 57411576 0
0 0
14 ip 0.0.0.0/0 0.0.0.78/0 843312 1053472608 0
0 3
17 ip 0.0.0.0/0 0.0.0.81/0 204706 158179424 0
0 6
18 ip 0.0.0.0/0 0.0.0.82/0 22483 31087242 0
0 0
19 ip 0.0.0.0/0 0.0.0.83/0 4 192 0 0
0
20 ip 0.0.0.0/0 0.0.0.84/0 28 1344 0 0
0
21 ip 0.0.0.0/0 0.0.0.85/0 68 3264 0 0
0
22 ip 0.0.0.0/0 0.0.0.86/0 12 576 0 0
0
23 ip 0.0.0.0/0 0.0.0.87/0 40 1920 0 0
0
25 ip 0.0.0.0/0 0.0.0.153/0 211070 239419017 0
0 107
27 ip 0.0.0.0/0 0.0.0.219/0 167729 162480742 0
0 4
28 ip 0.0.0.0/0 0.0.0.156/0 59815 60947589 0 0
84
34 ip 0.0.0.0/0 0.0.0.98/0 111816 102888848 0
0 0
35 ip 0.0.0.0/0 0.0.0.99/0 684097 500834043 0
0 31
36 ip 0.0.0.0/0 0.0.0.100/0 5494 3666021 0 0
0
37 ip 0.0.0.0/0 0.0.0.165/0 2 96 0 0
0
38 ip 0.0.0.0/0 0.0.0.166/0 1786343 1561800683
0 0 834
40 ip 0.0.0.0/0 0.0.0.104/0 144671 121344840 0
0 0
41 ip 0.0.0.0/0 0.0.0.169/0 149936 108076810 0
0 0
42 ip 0.0.0.0/0 0.0.0.106/0 484 508594 0 0
0
43 ip 0.0.0.0/0 0.0.0.171/0 37009 19659460 0
0 3
44 ip 0.0.0.0/0 0.0.0.172/0 5212405 6267682004
0 0 3989
46 ip 0.0.0.0/0 0.0.0.110/0 712120 696809804 0
0 14
47 ip 0.0.0.0/0 0.0.0.175/0 805743 917088747 0
0 25
48 ip 0.0.0.0/0 0.0.0.112/0 3 156 0 0
0
49 ip 0.0.0.0/0 0.0.0.113/0 473642 476308496 0
0 159
50 ip 0.0.0.0/0 0.0.0.178/0 144 189095 0 0
0
51 ip 0.0.0.0/0 0.0.0.179/0 784653 703058192 0
0 489
52 ip 0.0.0.0/0 0.0.0.180/0 1061499 992725601 0
0 349
53 ip 0.0.0.0/0 0.0.0.181/0 1028155 995858017 0
0 510
55 ip 0.0.0.0/0 0.0.0.183/0 7284 1136112 0 0
0
56 ip 0.0.0.0/0 0.0.0.184/0 719729 713345549 0
0 393
57 ip 0.0.0.0/0 0.0.0.185/0 4234563 5775756563
0 0 26
58 ip 0.0.0.0/0 0.0.0.186/0 12703 1598672 0
0 0
59 ip 0.0.0.0/0 0.0.0.187/0 1081355 956160566 0
0 2411
60 ip 0.0.0.0/0 0.0.0.188/0 361657 347005632 0
0 140
61 ip 0.0.0.0/0 0.0.0.189/0 448630 353813772 0
0 168
62 ip 0.0.0.0/0 0.0.0.254/0 13981 1004138 0
0 0
63 ip 0.0.0.0/0 0.0.0.191/0 206388 138061610 0
0 247
00096: 4.000 Mbit/s 0 ms 10 sl. 1 queues (64 buckets) droptail
mask: 0x00 0x000000ff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
14 ip 0.0.0.199/0 0.0.0.0/0 1979399 342463774 0
0 670
00097: 4.000 Mbit/s 0 ms 10 sl. 1 queues (64 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
7 ip 0.0.0.0/0 0.0.0.199/0 2614618 2090602386
0 0 2274
As you guess, the last column is the drop byte count.
And as wardriving tatics, you can use "pftop -v speed -o rate" command to
see the ip number of offending machines.
Using a simple pipe you can drop the connection to a single safe limit and
leave other users in peace.
You just need to place the pipe before others.
I hope if this helps.
TIA,
Luiz Vaz
