From owner-freebsd-hubs Tue Dec 3 7:13:31 2002 Delivered-To: freebsd-hubs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C35537B401 for ; Tue, 3 Dec 2002 07:13:30 -0800 (PST) Received: from coe.ufrj.br (roma.coe.ufrj.br [146.164.53.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4D7B43E9C for ; Tue, 3 Dec 2002 07:13:25 -0800 (PST) (envelope-from jonny@jonny.eng.br) Received: from jonny.eng.br (localhost [127.0.0.1]) by coe.ufrj.br (Postfix) with ESMTP id 1B481D9003; Tue, 3 Dec 2002 13:13:22 -0200 (BRST) Message-ID: <3DECCA1F.2060201@jonny.eng.br> Date: Tue, 03 Dec 2002 13:13:35 -0200 From: Joao Carlos Mendes Luis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2a) Gecko/20020910 X-Accept-Language: en,pt-BR MIME-Version: 1.0 To: Lukas Ertl Cc: Alexandr Kovalenko , freebsd-hubs@FreeBSD.ORG Subject: Re: Policy question for cvsup mirrors References: <20021203140220.GA54502@ldc.ro> <20021203150911.N29570-100000@pcle2.cc.univie.ac.at> <20021203143025.GA70644@nevermind.kiev.ua> <20021203153537.C29570-100000@pcle2.cc.univie.ac.at> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-hubs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lukas Ertl wrote: > On Tue, 3 Dec 2002, Alexandr Kovalenko wrote: > > >>On Tue, Dec 03, 2002 at 03:14:12PM +0100, you wrote: >> >> >>>le, still looking for an automatism to block aggressive ftp leechers and >>>their "super-download-booster-scripts"... >> >># Outgoing traffic shaping (3Mbit/sec/ip for uid ftp) >>${fwcmd} pipe 1 config mask src-ip 0xffffffff dst-ip 0xffffffff bw 3Mbit/sec >>${fwcmd} add 2000 pipe 1 tcp from 212.40.32.113 to any uid ftp out xmit xl0 > > > I already use ipfw and traffic shaping (besides that our routers limit > outgoing traffic too), but that isn't the problem - someone who has a > cable or DSL connection at home doesn't get more bandwidth if he has 50 > connections open or 5. > > The problem is that some aggressive download scripts open dozens of > connections to the same file, but at varying offsets, although I don't see > the reason for that - he doesn't get faster downloads than his bandwidth > at home allows. But for each connection there's a server process running > that uses resources, and since I limit the maximum number of connections > others may get locked out if others use more than necessary. Also, if I > set a maximum-connections-per-host limit (as I do), the ftp daemon has to > do work to establish the tcp connection, look into its database to see > that the limit is reached and throw the client back out again. > > All this simply isn't necessary, so I usually scan the logs from time to > time to check for aggressive leechers (e.g. those that have their share > of connections but still try twice per second to open a new connection) > and block them temporarily with "ipfw add deny..." Taken from ipfw manual: ipfw add allow tcp from my-net/24 to any setup limit src-addr 10 ipfw add allow tcp from any to me setup limit src-addr 4 The former (assuming it runs on a gateway) will allow each host on a /24 network to open at most 10 TCP connections. The latter can be placed on a server to make sure that a single client does not use more than 4 simultaneous connections. Is this a solution for you? I personally use pure-ftpd with maximum-connections-per-host limit. Is this so bad for you to start the daemon and them close it again? Jonny -- Joa~o Carlos Mendes Lui's - Networking Engineer - jonny@jonny.eng.br To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hubs" in the body of the message