Date: Tue, 03 Dec 2002 13:13:35 -0200 From: Joao Carlos Mendes Luis <jonny@jonny.eng.br> To: Lukas Ertl <l.ertl@univie.ac.at> Cc: Alexandr Kovalenko <never@nevermind.kiev.ua>, freebsd-hubs@FreeBSD.ORG Subject: Re: Policy question for cvsup mirrors Message-ID: <3DECCA1F.2060201@jonny.eng.br> References: <20021203140220.GA54502@ldc.ro> <20021203150911.N29570-100000@pcle2.cc.univie.ac.at> <20021203143025.GA70644@nevermind.kiev.ua> <20021203153537.C29570-100000@pcle2.cc.univie.ac.at>
next in thread | previous in thread | raw e-mail | index | archive | help
Lukas Ertl wrote:
> On Tue, 3 Dec 2002, Alexandr Kovalenko wrote:
>
>
>>On Tue, Dec 03, 2002 at 03:14:12PM +0100, you wrote:
>>
>>
>>>le, still looking for an automatism to block aggressive ftp leechers and
>>>their "super-download-booster-scripts"...
>>
>># Outgoing traffic shaping (3Mbit/sec/ip for uid ftp)
>>${fwcmd} pipe 1 config mask src-ip 0xffffffff dst-ip 0xffffffff bw 3Mbit/sec
>>${fwcmd} add 2000 pipe 1 tcp from 212.40.32.113 to any uid ftp out xmit xl0
>
>
> I already use ipfw and traffic shaping (besides that our routers limit
> outgoing traffic too), but that isn't the problem - someone who has a
> cable or DSL connection at home doesn't get more bandwidth if he has 50
> connections open or 5.
>
> The problem is that some aggressive download scripts open dozens of
> connections to the same file, but at varying offsets, although I don't see
> the reason for that - he doesn't get faster downloads than his bandwidth
> at home allows. But for each connection there's a server process running
> that uses resources, and since I limit the maximum number of connections
> others may get locked out if others use more than necessary. Also, if I
> set a maximum-connections-per-host limit (as I do), the ftp daemon has to
> do work to establish the tcp connection, look into its database to see
> that the limit is reached and throw the client back out again.
>
> All this simply isn't necessary, so I usually scan the logs from time to
> time to check for aggressive leechers (e.g. those that have their share
> of connections but still try twice per second to open a new connection)
> and block them temporarily with "ipfw add deny..."
Taken from ipfw manual:
ipfw add allow tcp from my-net/24 to any setup limit src-addr 10
ipfw add allow tcp from any to me setup limit src-addr 4
The former (assuming it runs on a gateway) will allow each host on a /24
network to open at most 10 TCP connections. The latter can be placed on
a server to make sure that a single client does not use more than 4
simultaneous connections.
Is this a solution for you?
I personally use pure-ftpd with maximum-connections-per-host limit.
Is this so bad for you to start the daemon and them close it again?
Jonny
--
Joa~o Carlos Mendes Lui's - Networking Engineer - jonny@jonny.eng.br
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hubs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DECCA1F.2060201>