Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 3 Dec 2002 15:39:31 +0100 (CET)
From:      Lukas Ertl <l.ertl@univie.ac.at>
To:        Alexandr Kovalenko <never@nevermind.kiev.ua>
Cc:        freebsd-hubs@FreeBSD.ORG
Subject:   Re: Policy question for cvsup mirrors
Message-ID:  <20021203153537.C29570-100000@pcle2.cc.univie.ac.at>
In-Reply-To: <20021203143025.GA70644@nevermind.kiev.ua>
References:  <20021203140220.GA54502@ldc.ro> <20021203150911.N29570-100000@pcle2.cc.univie.ac.at> <20021203143025.GA70644@nevermind.kiev.ua>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 3 Dec 2002, Alexandr Kovalenko wrote:

> On Tue, Dec 03, 2002 at 03:14:12PM +0100, you wrote:
>
> > le, still looking for an automatism to block aggressive ftp leechers an=
d
> > their "super-download-booster-scripts"...
> # Outgoing traffic shaping (3Mbit/sec/ip for uid ftp)
> ${fwcmd} pipe 1 config mask src-ip 0xffffffff dst-ip 0xffffffff bw 3Mbit/=
sec
> ${fwcmd} add 2000 pipe 1 tcp from 212.40.32.113 to any uid ftp out xmit x=
l0

I already use ipfw and traffic shaping (besides that our routers limit
outgoing traffic too), but that isn't the problem - someone who has a
cable or DSL connection at home doesn't get more bandwidth if he has 50
connections open or 5.

The problem is that some aggressive download scripts open dozens of
connections to the same file, but at varying offsets, although I don't see
the reason for that - he doesn't get faster downloads than his bandwidth
at home allows. But for each connection there's a server process running
that uses resources, and since I limit the maximum number of connections
others may get locked out if others use more than necessary. Also, if I
set a maximum-connections-per-host limit (as I do), the ftp daemon has to
do work to establish the tcp connection, look into its database to see
that the limit is reached and throw the client back out again.

All this simply isn't necessary, so I usually scan the logs from time to
time to check for aggressive leechers (e.g. those that have their share
of connections but still try twice per second to open a new connection)
and block them temporarily with "ipfw add deny..."

regards,
le

--=20
Lukas Ertl                             eMail: l.ertl@univie.ac.at
UNIX-Systemadministrator               Tel.:  (+43 1) 4277-14073
Zentraler Informatikdienst (ZID)       Fax.:  (+43 1) 4277-9140
der Universit=E4t Wien                   http://mailbox.univie.ac.at/~le/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hubs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021203153537.C29570-100000>