From owner-freebsd-isp  Tue Jan  8 22:58:28 2002
Delivered-To: freebsd-isp@freebsd.org
Received: from haggis.it.ca (haggis.it.ca [216.126.86.9])
	by hub.freebsd.org (Postfix) with ESMTP id EDEF437B402
	for <freebsd-isp@FreeBSD.ORG>; Tue,  8 Jan 2002 22:58:24 -0800 (PST)
Received: (from paul@localhost)
	by haggis.it.ca (8.11.6/8.11.6) id g096wNw26123;
	Wed, 9 Jan 2002 01:58:23 -0500 (EST)
	(envelope-from paul)
Date: Wed, 9 Jan 2002 01:58:23 -0500
From: Paul Chvostek <paul+isp@it.ca>
To: isp-webhosting@isp-webhosting.com, freebsd-isp@FreeBSD.ORG
Subject: Re: Restricting Users Geographically
Message-ID: <20020109015823.A25751@mail.it.ca>
References: <JAEEIJKIHAONENKPFCCPMEPGCBAA.dev@samurai.com> <Pine.BSF.4.05.10201071857450.29300-100000@misery.sdf.com> <JAEEIJKIHAONENKPFCCPMEPGCBAA.dev@samurai.com> <20020109121814.E13438@webjump.national.com.au> <5.1.0.14.2.20020108234616.02a93008@mailbox.samurai.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <5.1.0.14.2.20020108234616.02a93008@mailbox.samurai.com>; from dev@samurai.com on Tue, Jan 08, 2002 at 11:54:29PM -0500
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org


On Tue, Jan 08, 2002 at 11:54:29PM -0500, Blake Crosby wrote:
> 
> The thing that bothers me is this...My webserver has a finite of resources. 
> When someone, say, from Japan (which there are three mirrors for) access 
> the mirror, they are using resources for potential Canadians to use.

Potential Canadians (as well as established ones) are equally free
to use a Japanese mirror if the resources of a local one are full.
Most mirrors put limits on the number of simultaneous connections.
You could too.  And if a Canadian can't grab data from your host,
he'll check for another that's less full.

The reality of the 'Net is that physical location often bears little
on how "close" hosts are to each other.  It was worse years ago, but
I still see traceroutes across town that go through three or four US
cities, and traceroutes to other continents with hop counts in the
single digits.

> I want to contribute to the project, but I cannot afford hundreds of 
> dollars a month to keep the mirror up

Good point.  That reminds me....  ;-)

> - so I bandwidth limited traffic. So 
> not only are server resources being taxed by non Candians, bandwidth is as 
> well.

Very patriotic, but why would it be more appropriate for you to serve
content to a Sprint-connected host in Kelowna than a Reptiles-connected
host in Pakistan?  The distribution of resources, if done using any
mechanism besides random chance, should be done in such a way as to
reduce overall traffic.

> This way, Canadians have exclusive access to the mirror. (well anyone with 
> a .com .net .org .edu domain name as well). The non canadians can use one 
> of the many mirrors in the USA or their home country.

And hosts without valid reverse DNS are presumably out of luck as well.

The bandwidth limitation idea seemed like a good one.  You're running
FreeBSD, right?  (Lemme check the console ... yeah.)  So do some of
your own traffic shaping.  If you want a dedicated IP address for your
mirror, ask your ISP; they can certainly accomodate your request,
perhaps even at no charge.  Then use do something like:

 ipfw pipe 10 config bw 64 kbps
 ipfw add 250 add pipe 10 ip from www2.ca.postgresql.org to 210.0.0.0/7 out
 ipfw add 250 add pipe 10 ip from www2.ca.postgresql.org to 193.0.0.0/8 out
 ipfw add 250 add pipe 10 ip from www2.ca.postgresql.org to 194.0.0.0/7 out
etc.

I'm sure that with a little research in your logs (or at ARIN et al) you
will have the bulk of the overseas stuff covered.

Alternately....

For every inbound connection, let 'em log on and start some traffic.  For
every new connection, launch a background process which looks up the IP
address at whois.ra.net and whois.arin.net.  Take the first line from
ra.net with the word "origin:", and that's supposed to be the AS number
that's responsible for routing.  Look up that ASN at whois.arin.net, and
if the result does not include the regexp /\<C(A|anada)\>/, null route
'em.  Or ipfw deny their traffic.  And store the result in a local db
for quicker lookup next time that host connects.  (Don't just store the
IP, instead store the CIDR block that was given in the first line of
output from whois.ra.net.)

And if after all that you feel that the time to develop all this has
been well spent, you must be paying too much for your bandwidth.  ;-)

-- 
  Paul Chvostek                                             <paul@it.ca>
  Operations / Development / Abuse / Whatever       vox: +1 416 598-0000
  it.canada                                            http://www.it.ca/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message