On Thu, Jul 17, 2008 at 7:22 AM, Luiz Vaz <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> there is a better solution: ipfw and pipe.
> I´m working on a package that simplify the job, but it getting harder to
> make flexible.
>
> Just load ipfw.ko and dummynet.ko.
>
> To control everyone in your LAN use this rules:
>
> SUBNET="192.168.1.0/24"
> LIMIT_PIPEIN="250Kbit/s"
> LIMIT_PIPEOUT="250Kbit/s"
> ipfw add pipe 100 ip from ${SUBNET} to any
> ipfw add pipe 200 ip from any to ${SUBNET}
> ipfw pipe 100 config mask src-ip 0x000000ff bw ${LIMIT_PIPEOUT} queue 10
> ipfw pipe 200 config mask dst-ip 0x000000ff bw ${LIMIT_PIPEIN} queue 10
>
> Just change the subnet and limit vars to your own needs.
> Remeber, the limit must be 30% less than real.
>
> If you put the whole band value, like "4Mbit/s" everyone will use this
> upper limit.
> But if you want up to 15 people using this at same time without fighting
> with each other about download rate, place the value "250Kbit/s".
> This will fix a hard limit around 25KB/s to every machine on your LAN.
> Remeber this, every machine not every connection.
>
> The great vilain today are p2p.
> With these setting no matter how many connections on machine do, the limit
> you be respected.
> It´s transparent to user.
>
> Take a deep look on MASK and SUBNET.
> My sample uses a subnet with last OCTET open and the MASK will match the
> last OCTET too.
> So the pipes will be dynamically created for every single IP from LAN,
> starting from 1 to 254.
>
> Many pipes can be created as will wish.
> But the matching sequence is up-down.
> The first match pipe takes the control.
>
> Ex.: You wish to unlock one machine and others no.
> Place 2 pipes, one before 00100 and 00200.
> Like 00096 and 00097.
>
> Using the "ipfw show" command you will see this:
>
> # ipfw show
> 00096 1979400 342455858 pipe 96 ip from 192.168.1.199 to any
> 00097 2614619 2089783809 pipe 97 ip from any to 192.168.1.199
> 00100 93382187 27428427675 pipe 100 ip from 192.168.1.0/24 to any
> 00200 96107581 63006151656 pipe 200 ip from any to 192.168.1.0/24
> 65535 178815274 89112098498 allow ip from any to any
>
> The numbers after pipe id are the counting bytes running thru the pipe.
> Using the "ipfw pipe show" command you will see how much the users are
> trying to overflow your rule:
>
> # ipfw pipe show
> 00100: 250.000 Mbit/s 0 ms 10 sl. 32 queues (64 buckets) droptail
> mask: 0x00 0x000000ff/0x0000 -> 0x00000000/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
> Drp
> 0 ip 0.0.0.128/0 0.0.0.0/0 1538 261999 0 0
> 0
> 2 ip 0.0.0.65/0 0.0.0.0/0 12 504 0 0
> 0
> 4 ip 0.0.0.2/0 0.0.0.0/0 428723 204387674 0
> 0 5999
> 6 ip 0.0.0.195/0 0.0.0.0/0 1958 333940 0 0
> 0
> 8 ip 0.0.0.4/0 0.0.0.0/0 2252 275042 0 0
> 0
> 10 ip 0.0.0.5/0 0.0.0.0/0 23 986 0 0
> 0
> 12 ip 0.0.0.6/0 0.0.0.0/0 1325082 393705846 0
> 0 71262
> 14 ip 0.0.0.71/0 0.0.0.0/0 2494 446546 0 0
> 0
> 16 ip 0.0.0.104/0 0.0.0.0/0 113053 5149188 0
> 0 0
> 18 ip 0.0.0.9/0 0.0.0.0/0 19386 3502548 0 0
> 33
> 20 ip 0.0.0.10/0 0.0.0.0/0 25 2068 0 0
> 0
> 22 ip 0.0.0.11/0 0.0.0.0/0 2408 560263 0 0
> 0
> 24 ip 0.0.0.172/0 0.0.0.0/0 1267730 186456524 0
> 0 687
> 26 ip 0.0.0.77/0 0.0.0.0/0 37047 2376900 0
> 0 0
> 28 ip 0.0.0.78/0 0.0.0.0/0 717 138436 0 0
> 0
> 30 ip 0.0.0.175/0 0.0.0.0/0 145990 25002406 0
> 0 0
> 32 ip 0.0.0.80/0 0.0.0.0/0 15 4640 0 0
> 0
> 34 ip 0.0.0.113/0 0.0.0.0/0 604247 82553217 0
> 0 4
> 36 ip 0.0.0.178/0 0.0.0.0/0 41 3344 0 0
> 0
> 38 ip 0.0.0.179/0 0.0.0.0/0 54740 29536883 0
> 0 0
> 40 ip 0.0.0.180/0 0.0.0.0/0 22377 5160831 0
> 0 0
> 42 ip 0.0.0.85/0 0.0.0.0/0 8 320 0 0
> 0
> 44 ip 0.0.0.22/0 0.0.0.0/0 87 52470 0 0
> 0
> 46 ip 0.0.0.87/0 0.0.0.0/0 36 9360 0 0
> 0
> 48 ip 0.0.0.184/0 0.0.0.0/0 498850 106375209 0
> 0 186
> 50 ip 0.0.0.185/0 0.0.0.0/0 282755 21496479 0
> 0 18
> 52 ip 0.0.0.186/0 0.0.0.0/0 32043 2909375 0
> 0 5
> 54 ip 0.0.0.187/0 0.0.0.0/0 134 22753 0 0
> 0
> 56 ip 0.0.0.188/0 0.0.0.0/0 51862 8719019 0
> 0 1
> 58 ip 0.0.0.253/0 0.0.0.0/0 2280 191520 0 0
> 0
> 60 ip 0.0.0.254/0 0.0.0.0/0 24078 4307650 0
> 0 0
> 62 ip 0.0.0.191/0 0.0.0.0/0 420445 84129550 0 0
> 10510
> 00200: 250.000 Mbit/s 0 ms 10 sl. 51 queues (64 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
> Drp
> 0 ip 0.0.0.0/0 0.0.0.128/0 1614 1639211 0 0
> 0
> 1 ip 0.0.0.0/0 0.0.0.193/0 4146 1423068 0 0
> 0
> 2 ip 0.0.0.0/0 0.0.0.2/0 499608 110165721 0
> 0 0
> 3 ip 0.0.0.0/0 0.0.0.195/0 565597 542001439 0
> 0 616
> 4 ip 0.0.0.0/0 0.0.0.4/0 5380 507328 0 0
> 0
> 5 ip 0.0.0.0/0 0.0.0.5/0 42 2016 0 0
> 0
> 6 ip 0.0.0.0/0 0.0.0.6/0 1778468 521251221 0
> 0 14
> 7 ip 0.0.0.0/0 0.0.0.71/0 1353 1483972 0 0
> 0
> 8 ip 0.0.0.0/0 0.0.0.72/0 422 342681 0 0
> 0
> 9 ip 0.0.0.0/0 0.0.0.9/0 612960 94121018 0
> 0 2
> 10 ip 0.0.0.0/0 0.0.0.10/0 54 3452 0 0
> 0
> 11 ip 0.0.0.0/0 0.0.0.11/0 5676 613236 0 0
> 0
> 13 ip 0.0.0.0/0 0.0.0.77/0 39431 57411576 0
> 0 0
> 14 ip 0.0.0.0/0 0.0.0.78/0 843312 1053472608 0
> 0 3
> 17 ip 0.0.0.0/0 0.0.0.81/0 204706 158179424 0
> 0 6
> 18 ip 0.0.0.0/0 0.0.0.82/0 22483 31087242 0
> 0 0
> 19 ip 0.0.0.0/0 0.0.0.83/0 4 192 0 0
> 0
> 20 ip 0.0.0.0/0 0.0.0.84/0 28 1344 0 0
> 0
> 21 ip 0.0.0.0/0 0.0.0.85/0 68 3264 0 0
> 0
> 22 ip 0.0.0.0/0 0.0.0.86/0 12 576 0 0
> 0
> 23 ip 0.0.0.0/0 0.0.0.87/0 40 1920 0 0
> 0
> 25 ip 0.0.0.0/0 0.0.0.153/0 211070 239419017 0
> 0 107
> 27 ip 0.0.0.0/0 0.0.0.219/0 167729 162480742 0
> 0 4
> 28 ip 0.0.0.0/0 0.0.0.156/0 59815 60947589 0 0
> 84
> 34 ip 0.0.0.0/0 0.0.0.98/0 111816 102888848 0
> 0 0
> 35 ip 0.0.0.0/0 0.0.0.99/0 684097 500834043 0
> 0 31
> 36 ip 0.0.0.0/0 0.0.0.100/0 5494 3666021 0 0
> 0
> 37 ip 0.0.0.0/0 0.0.0.165/0 2 96 0 0
> 0
> 38 ip 0.0.0.0/0 0.0.0.166/0 1786343 1561800683
> 0 0 834
> 40 ip 0.0.0.0/0 0.0.0.104/0 144671 121344840 0
> 0 0
> 41 ip 0.0.0.0/0 0.0.0.169/0 149936 108076810 0
> 0 0
> 42 ip 0.0.0.0/0 0.0.0.106/0 484 508594 0 0
> 0
> 43 ip 0.0.0.0/0 0.0.0.171/0 37009 19659460 0
> 0 3
> 44 ip 0.0.0.0/0 0.0.0.172/0 5212405 6267682004
> 0 0 3989
> 46 ip 0.0.0.0/0 0.0.0.110/0 712120 696809804 0
> 0 14
> 47 ip 0.0.0.0/0 0.0.0.175/0 805743 917088747 0
> 0 25
> 48 ip 0.0.0.0/0 0.0.0.112/0 3 156 0 0
> 0
> 49 ip 0.0.0.0/0 0.0.0.113/0 473642 476308496 0
> 0 159
> 50 ip 0.0.0.0/0 0.0.0.178/0 144 189095 0 0
> 0
> 51 ip 0.0.0.0/0 0.0.0.179/0 784653 703058192 0
> 0 489
> 52 ip 0.0.0.0/0 0.0.0.180/0 1061499 992725601 0
> 0 349
> 53 ip 0.0.0.0/0 0.0.0.181/0 1028155 995858017 0
> 0 510
> 55 ip 0.0.0.0/0 0.0.0.183/0 7284 1136112 0 0
> 0
> 56 ip 0.0.0.0/0 0.0.0.184/0 719729 713345549 0
> 0 393
> 57 ip 0.0.0.0/0 0.0.0.185/0 4234563 5775756563
> 0 0 26
> 58 ip 0.0.0.0/0 0.0.0.186/0 12703 1598672 0
> 0 0
> 59 ip 0.0.0.0/0 0.0.0.187/0 1081355 956160566 0
> 0 2411
> 60 ip 0.0.0.0/0 0.0.0.188/0 361657 347005632 0
> 0 140
> 61 ip 0.0.0.0/0 0.0.0.189/0 448630 353813772 0
> 0 168
> 62 ip 0.0.0.0/0 0.0.0.254/0 13981 1004138 0
> 0 0
> 63 ip 0.0.0.0/0 0.0.0.191/0 206388 138061610 0
> 0 247
> 00096: 4.000 Mbit/s 0 ms 10 sl. 1 queues (64 buckets) droptail
> mask: 0x00 0x000000ff/0x0000 -> 0x00000000/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
> Drp
> 14 ip 0.0.0.199/0 0.0.0.0/0 1979399 342463774 0
> 0 670
> 00097: 4.000 Mbit/s 0 ms 10 sl. 1 queues (64 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
> Drp
> 7 ip 0.0.0.0/0 0.0.0.199/0 2614618 2090602386
> 0 0 2274
>
> As you guess, the last column is the drop byte count.
>
> And as wardriving tatics, you can use "pftop -v speed -o rate" command to
> see the ip number of offending machines.
> Using a simple pipe you can drop the connection to a single safe limit and
> leave other users in peace.
> You just need to place the pipe before others.
>
> I hope if this helps.
>
> TIA,
> Luiz Vaz
>
I do not think there is much safety doing this in 1.2 since you have
to be very careful.
Actually 1.3 is the one that has support for this, today, and it is ALPHA.
So please do not advice something that really needs the knowledge of
how to handle the caveats of it.
--
Ermal
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
