Date: Sat, 20 Sep 2003 17:10:24 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-ipfw@FreeBSD.ORG Subject: ssh/scp filtering, iplen problem Message-ID: <200309201510.h8KFAOxL062601@lurza.secnetix.de>
next in thread | raw e-mail | index | archive | help
Hi, I would like to be able to differentiate between scp and interactive ssh for trafficshaping. In other words: No more than about 90% of the bandwidth should be available to scp transfers (along with FTP and HTTP, but that's easy), and the remaining 10% should be reserved for ssh and other interactive protocols. However, the obvious problem is that scp uses the ssh protocol, so it's on the same port. So my idea was to differentiate them by the size of the packets. The scp packets usually use the full MTU size (1500), while the interactive ssh packets are typically much smaller. According to ipfw(8), there is an "iplen" option for filtering -- but it filters on an exact size. What I need is a way to specify a rule that matches on, say, packets on port 22 that are larger than 1000 bytes. Is that possible with IPFW2? If not -- is there any other way to accomplish nwhat I want to achieve? Thanks a bunch in advance! Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "If you aim the gun at your foot and pull the trigger, it's UNIX's job to ensure reliable delivery of the bullet to where you aimed the gun (in this case, Mr. Foot)." -- Terry Lambert, FreeBSD-hackers mailing list.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309201510.h8KFAOxL062601>