From owner-freebsd-questions@FreeBSD.ORG Thu Sep 14 20:06:42 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAC0116A40F for ; Thu, 14 Sep 2006 20:06:42 +0000 (UTC) (envelope-from eagletree@hughes.net) Received: from n126.sc0.cp.net (smtpout1083.sc0.he.tucows.com [64.97.144.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BE9D43D45 for ; Thu, 14 Sep 2006 20:06:42 +0000 (GMT) (envelope-from eagletree@hughes.net) Received: from [192.168.1.100] (67.47.213.85) by n126.sc0.cp.net (7.2.069.1) (authenticated as eagletree@hughes.net) id 4508EEB600035A56 for freebsd-questions@freebsd.org; Thu, 14 Sep 2006 20:06:40 +0000 Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: <4509B33B.80604@ee.duth.gr> References: <4509B33B.80604@ee.duth.gr> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chris Date: Thu, 14 Sep 2006 13:06:34 -0700 To: freeBSD X-Mailer: Apple Mail (2.752.2) Subject: Re: Under Attack: Bandwidth throttling on 5.2.1? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 20:06:42 -0000 On Sep 14, 2006, at 12:53 PM, Panagiotis wrote: > Chris wrote: > >> ...system, we could come back up I think and try ride out the >> attack. I've never done this before but in an earlier thread I >> saw where you configure a pipe such as: >> >> ipfw pipe 1 config bw 256Kbit/s >> ipfw add pipe 1 tcp from 192.168.1.2 80 >> >> then set sysctl.conf >> net.inet.ip.fw.one_pass=1 >> >> Is that is all that's necessary for this old a system or is there >> anything else. If this is correct, would this keep this fellow >> from crashing > > To use traffic shaping with IPFW you have to compile the kernel > with the following options: > > options DUMMYNET > options HZ=1000 > > then you can add some lines like these to make your bandwidth limit > to work: > > #first flush all the previous pipes > ipfw -q -f pipe flush > > ipfw pipe 1 config bw 256Kbit/s > ipfw add pipe 1 tcp from any to any > > usually we use two pipes, one for download and one for upload so > you can try something like this: > > > #first flush all the previous pipes > ipfw -q -f pipe flush > > #upload bandwidth+download bandwidth=total bandwidth > #pipe for upload > ipfw pipe 1 config bw 128Kbit/s > #pipe for download > ipfw pipe 2 config bw 256Kbit/s > > server_port="20,21,80,443,995,...,etc" > internal_network="192.168.0.0" > > #config upload > ipfw add pipe 1 tcp from $internal_network to any $server_port > #config upload > ipfw add pipe 2 tcp from any $server_port to $internal_network > > The variables "server_port" and "internal_network" are examples of > course... :-) > If you are running natd on your machine the you have to put rules > AFTER the divert natd rule like these: > ipfw add pipe 1 tcp from {external_ip} to any $server_port > ipfw add pipe 2 tcp from any $server_port to $internal_network > > The net.inet.ip.fw.one_pass=1 must be set if you want your traffic > to pass from pipes and not continue at next rules.... > > Sorry for my bad english.... > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" Thank you very much. Even rejecting the requests by referer has only lessened the impact on the system and we are occasionally rebooting. It has not let up all night. I will implement. Thank you again. Chris