Date: Sat, 15 Feb 2003 10:40:24 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Freebsd-Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: using Dummynet to rate limit ftp Message-ID: <20030215104024.GB68671@happy-idiot-talk.infracaninophi> In-Reply-To: <AGEHIFHGNEMPFNCPLONMEEPKEDAA.paul@compwest.com.au> References: <AGEHIFHGNEMPFNCPLONMEEPKEDAA.paul@compwest.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Feb 15, 2003 at 08:24:58AM +0800, Paul Hamilton wrote: > I have played around with dummynet a bit. Very nice! However, it would be > nice to be able to rate limit ftp. The control channel port 21 is easy, and > not really necessary to rate limit it, but as fas as I can see there would > be no way to rate limit the data channel, as it could be different every > time, even in passive mode. > > Am I missing something? No, you are entirely correct. In order to properly filter (or for that matter, rate limit) FTP and some other annoying protocols like IRC DCC or Microsoft Media Streaming, you need to have a firewall that understands at least part of the protocol, so that it can discover what ports are being used for supplementary channels. Or in other words, the firewall has to start parsing the payload of packets, rather than just the headers. Now, that sounds quite reasonable, but it's really quite a minefield. Consider that the TCP stream could be fragmented --- unlikely in normal usage, but something a potential attacker might try --- or that an attacker might be able to persuade your firewall to open up access to ports or addresses it really shouldn't by sending a cunningly modified FTP control exchange. Combine that with the requirement that the firewall works speedily and efficiently, and you can see that implementing such a system is by no means trivial. As far as I know, the only software available to do protocol aware filtering with the native FreeBSD firewalls is natd(8), with it's '-punch_fw' option. (That also appears as the 'nat punch_fw' command built into ppp(8), but it's the same code really). Unfortunately that doesn't help with your requirement to rate limit traffic on the punched connection. Now, there are some commercial firewalls that provide this sort of functionality: Checkpoint FW-1 does, and you could feed your FreeBSD habit by running it on one of those Nokia appliances based on FreeBSD 3.2... Having a natd-like process that can hang off a divert socket, interpret the FTP (or other) protocol traffic passed to it and open up dynamic rules in ipfw(8) to permit traffic through the data channel or push the data traffic through a dummynet rate limiter would be exceedingly cool. If only I had both the time and the talent to implement such a thing. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030215104024.GB68671>