From owner-freebsd-questions Sat Feb 15 10:54:26 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C68C37B401 for ; Sat, 15 Feb 2003 10:54:25 -0800 (PST) Received: from out005.verizon.net (out005pub.verizon.net [206.46.170.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFF2B43F85 for ; Sat, 15 Feb 2003 10:54:22 -0800 (PST) (envelope-from cswiger@mac.com) Received: from mac.com ([129.44.41.173]) by out005.verizon.net (InterMail vM.5.01.05.20 201-253-122-126-120-20021101) with ESMTP id <20030215185422.VFXF16306.out005.verizon.net@mac.com> for ; Sat, 15 Feb 2003 12:54:22 -0600 Message-ID: <3E4E8CDC.1090404@mac.com> Date: Sat, 15 Feb 2003 13:54:20 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030210 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Freebsd-Questions Subject: Re: using Dummynet to rate limit ftp References: <20030215104024.GB68671@happy-idiot-talk.infracaninophi> In-Reply-To: <20030215104024.GB68671@happy-idiot-talk.infracaninophi> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out005.verizon.net from [129.44.41.173] at Sat, 15 Feb 2003 12:54:21 -0600 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Matthew Seaman wrote: [ ... ] > Now, that sounds quite reasonable, but it's really quite a minefield. > Consider that the TCP stream could be fragmented --- unlikely in > normal usage, but something a potential attacker might try --- or that > an attacker might be able to persuade your firewall to open up access > to ports or addresses it really shouldn't by sending a cunningly > modified FTP control exchange. While I agree with this and the points you've made, let me suggest that the problem the original poster had is better solved by prioritizing traffic, rather than by setting fixed bandwidth limits in place. Or perhaps "in addition to fixed BW limits". -Chuck To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message