Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Feb 2003 10:40:24 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Freebsd-Questions <freebsd-questions@FreeBSD.ORG>
Subject:   Re: using Dummynet to rate limit ftp
Message-ID:  <20030215104024.GB68671@happy-idiot-talk.infracaninophi>
In-Reply-To: <AGEHIFHGNEMPFNCPLONMEEPKEDAA.paul@compwest.com.au>
References:  <AGEHIFHGNEMPFNCPLONMEEPKEDAA.paul@compwest.com.au>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Feb 15, 2003 at 08:24:58AM +0800, Paul Hamilton wrote:

> I have played around with dummynet a bit.  Very nice!  However, it would be
> nice to be able to rate limit ftp.  The control channel port 21 is easy, and
> not really necessary to rate limit it, but as fas as I can see there would
> be no way to rate limit the data channel, as it could be different every
> time, even in passive mode.
> 
> Am I missing something?

No, you are entirely correct.  In order to properly filter (or for
that matter, rate limit) FTP and some other annoying protocols like
IRC DCC or Microsoft Media Streaming, you need to have a firewall that
understands at least part of the protocol, so that it can discover
what ports are being used for supplementary channels.  Or in other
words, the firewall has to start parsing the payload of packets,
rather than just the headers.

Now, that sounds quite reasonable, but it's really quite a minefield.
Consider that the TCP stream could be fragmented --- unlikely in
normal usage, but something a potential attacker might try --- or that
an attacker might be able to persuade your firewall to open up access
to ports or addresses it really shouldn't by sending a cunningly
modified FTP control exchange.

Combine that with the requirement that the firewall works speedily and
efficiently, and you can see that implementing such a system is by no
means trivial.

As far as I know, the only software available to do protocol aware
filtering with the native FreeBSD firewalls is natd(8), with it's
'-punch_fw' option. (That also appears as the 'nat punch_fw' command
built into ppp(8), but it's the same code really).  Unfortunately that
doesn't help with your requirement to rate limit traffic on the
punched connection.

Now, there are some commercial firewalls that provide this sort of
functionality: Checkpoint FW-1 does, and you could feed your FreeBSD
habit by running it on one of those Nokia appliances based on FreeBSD
3.2...

Having a natd-like process that can hang off a divert socket,
interpret the FTP (or other) protocol traffic passed to it and open up
dynamic rules in ipfw(8) to permit traffic through the data channel or
push the data traffic through a dummynet rate limiter would be
exceedingly cool.  If only I had both the time and the talent to
implement such a thing.

        Cheers,

        Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030215104024.GB68671>