From owner-freebsd-questions@FreeBSD.ORG Tue Mar 16 18:12:34 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 31B991065675 for ; Tue, 16 Mar 2010 18:12:34 +0000 (UTC) (envelope-from erik@barragry.com) Received: from cork.barragry.com (cork.barragry.com [72.232.202.93]) by mx1.freebsd.org (Postfix) with ESMTP id 15B8C8FC26 for ; Tue, 16 Mar 2010 18:12:33 +0000 (UTC) Received: by cork.barragry.com (Postfix, from userid 1006) id 4F82B1D7DE4; Tue, 16 Mar 2010 13:12:33 -0500 (CDT) Date: Tue, 16 Mar 2010 13:12:33 -0500 From: Erik Osterholm To: FreeBSD Message-ID: <20100316181233.GA28264@barragry.com> References: <44634xpv38.fsf@be-well.ilk.org> <448w9s49ek.fsf@be-well.ilk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <448w9s49ek.fsf@be-well.ilk.org> User-Agent: Mutt/1.5.20 (2009-06-14) Subject: Re: limit bandwidth on sftp X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Mar 2010 18:12:34 -0000 On Tue, Mar 16, 2010 at 10:40:35AM -0400, Lowell Gilbert wrote: > krad writes: > > > On 15 March 2010 13:34, Lowell Gilbert < > > freebsd-questions-local@be-well.ilk.org> wrote: > > > >> Tsu-Fan Cheng writes: > >> > >> > I need to limit my sftp session bandwidth to 20K, can someone show me > >> how > >> > to do it? thank you! > >> > >> There's no simple way to do that. > >> > >> scp has such a capability, though; maybe using that is your easiest option? > > > > You could limit port 22 with pf, ipfw etc. This would slow all you ssh > > traffic rather than just sftp which may or may not work for you. If you are > > clever with your rule sets you could guarantee bw for certain hosts so they > > dont loose a functional ssh session and/or you could bw limit it by source > > ip, rather than a global limit for port 22. > > Aside from having to configure it, the downside of this approach is that > it involves dropping some traffic and waiting for the retransmit, so it > will be less efficient than a bandwidth limit in the application > itself. TCP's dynamic window resizing (especially with Selective > ACKnowledgements) should keep the firewall from having to drop too many > packets, but changing conditions on the network can keep that from > working as well as you'd like. If using this technique, make sure the > other side supports SACK, preferably for multiple segments. For what it's worth, I think most implementations of sftp/scp do not set the PUSH flag when transmitting data. This, combined with ACK prioritization, could allow you to shape sftp without affecting interactive SSH sessions. Erik