Date: Sat, 20 Sep 2003 17:10:24 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-ipfw@FreeBSD.ORG Subject: ssh/scp filtering, iplen problem Message-ID: <200309201510.h8KFAOxL062601@lurza.secnetix.de>
next in thread | raw e-mail | index | archive | help
Hi,
I would like to be able to differentiate between scp and
interactive ssh for trafficshaping. In other words: No
more than about 90% of the bandwidth should be available
to scp transfers (along with FTP and HTTP, but that's
easy), and the remaining 10% should be reserved for ssh
and other interactive protocols.
However, the obvious problem is that scp uses the ssh
protocol, so it's on the same port. So my idea was to
differentiate them by the size of the packets. The scp
packets usually use the full MTU size (1500), while the
interactive ssh packets are typically much smaller.
According to ipfw(8), there is an "iplen" option for
filtering -- but it filters on an exact size. What I
need is a way to specify a rule that matches on, say,
packets on port 22 that are larger than 1000 bytes.
Is that possible with IPFW2?
If not -- is there any other way to accomplish nwhat I
want to achieve?
Thanks a bunch in advance!
Regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"If you aim the gun at your foot and pull the trigger, it's
UNIX's job to ensure reliable delivery of the bullet to
where you aimed the gun (in this case, Mr. Foot)."
-- Terry Lambert, FreeBSD-hackers mailing list.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309201510.h8KFAOxL062601>