Re: Under Attack: Bandwidth throttling on 5.2.1?

Thu, 14 Sep 2006 13:07:25 -0700 

On Sep 14, 2006, at 12:53 PM, Panagiotis wrote:


Chris wrote:
...system, we could come back up I think and try ride out the attack. I've never done this before but in an earlier thread I saw where you configure a pipe such as: 

ipfw pipe 1 config bw 256Kbit/s
ipfw add pipe 1 tcp from 192.168.1.2 80

then set sysctl.conf
net.inet.ip.fw.one_pass=1
Is that is all that's necessary for this old a system or is there anything else. If this is correct, would this keep this fellow from crashing
To use traffic shaping with IPFW you have to compile the kernel with the following options: 

options         DUMMYNET
options         HZ=1000
then you can add some lines like these to make your bandwidth limit to work: 

#first flush all the previous pipes
ipfw -q -f pipe flush

ipfw pipe 1 config bw 256Kbit/s
ipfw add pipe 1 tcp from any to any
usually we use two pipes, one for download and one for upload so you can try something like this: 


#first flush all the previous pipes
ipfw -q -f pipe flush

#upload bandwidth+download bandwidth=total bandwidth
#pipe for upload
ipfw pipe 1 config bw 128Kbit/s
#pipe for download
ipfw pipe 2 config bw 256Kbit/s

server_port="20,21,80,443,995,...,etc"
internal_network="192.168.0.0"

#config upload
ipfw add pipe 1 tcp from $internal_network to any $server_port
#config upload
ipfw add pipe 2 tcp from any $server_port to $internal_network
The variables "server_port" and "internal_network" are examples of course... :-) If you are running natd on your machine the you have to put rules AFTER the divert natd rule like these: 
ipfw add pipe 1 tcp from {external_ip} to any $server_port
ipfw add pipe 2 tcp from any $server_port to $internal_network
The net.inet.ip.fw.one_pass=1 must be set if you want your traffic to pass from pipes and not continue at next rules.... 

Sorry for my bad english....




_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]"
Thank you very much. Even rejecting the requests by referer has only lessened the impact on the system and we are occasionally rebooting. It has not let up all night. I will implement. Thank you again.
Chris _______________________________________________ 
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to