From owner-freebsd-questions@FreeBSD.ORG Wed Aug 10 06:32:25 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21DB516A41F for ; Wed, 10 Aug 2005 06:32:25 +0000 (GMT) (envelope-from apircalabu@bitdefender.com) Received: from mail.bitdefender.com (ns.bitdefender.com [217.156.83.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32EA743D45 for ; Wed, 10 Aug 2005 06:32:23 +0000 (GMT) (envelope-from apircalabu@bitdefender.com) Received: (qmail 6766 invoked by uid 1010); 10 Aug 2005 09:21:01 +0300 Received: from apircalabu.dsd.ro (10.10.15.22) by mail.bitdefender.com with AES256-SHA encrypted SMTP; 10 Aug 2005 09:21:01 +0300 Date: Wed, 10 Aug 2005 09:34:28 +0300 From: Adi Pircalabu To: he ccjj Message-ID: <20050810093428.62d11299@apircalabu.dsd.ro> In-Reply-To: <6f9d8a505080922315e2bc928@mail.gmail.com> References: <6f9d8a505080922315e2bc928@mail.gmail.com> Organization: BitDefender X-Mailer: Sylpheed-Claws 1.9.13 (GTK+ 2.6.9; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BitDefender-SpamStamp: 1.1.4 049000040111AAAAAAE X-BitDefender-Scanner: Clean, Agent: BitDefender Qmail 1.6.2 on mail.bitdefender.com X-BitDefender-Spam: No (0) Cc: freebsd-questions@freebsd.org Subject: Re: How to limit the nat's stream speed? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2005 06:32:25 -0000 On Wed, 10 Aug 2005 13:31:28 +0800 he ccjj wrote: > I use freebsd5.4+ipfw+natd to setup a box for sharing internet,it's > work fine.But i have a very serious problem: > Some computer of my inner user was attacked by virus,they make very > big volume of stream to internet,so the natd will occupy almost all > the cpu,the others can't visit internet at all !! Is there a solution > to limit the natd's cpu occupancy or limit every user's stream speed? You may take a look at ipfw(8) manpage and search for dummynet configuration. For example, if you know the offending IP, you can try something like this: kldload dummynet ipfw pipe ${pipe-num} config bw ${max-bw} ipfw add ${rule-num} pipe ${pipe-num} ip from ${offending-IP} to any It's a very simple example, take it as a starting point. Bye -- Adi Pircalabu (PGP Key ID 0x04329F5E) -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://www.bitdefender.com/