Limit Bandwidth (not throughput)

[plexter]

Hello,

I am wondering if anyone has any insight as to how you can limit the total bandwidth used by a particular IP/host...etc? I know PF/ALTQ can prioritize and limit the total usuable connection speed but I am looking to do something more like a ratio once you reach X you are cut off. And I suppose in my case with the bandwidth you would be cut off for Y amount of time.

Is there any simple way of doing this? I have yet to see any software (knowingly) to do this on OpenBSD.

Thanks!

P.S. I appologize if PF is able to do this. Please point me to the topic in the man page if doable.

[jggimi]

If you want to shut off a connection after so many bytes, you'll have to do it via an manual examination of PF state tables. This might be as simple as a cron job that examines the output of # pfctl -vs state.

I used to do this with a cron job, to limit script kiddies from looping stupid ftpd attacks on "User Administrator" or other common userids that did not exist. I found a simple modification to ftpd can drop those sessions, and that's a much easier solution.

I submitted it as a patch last month. It was partially accepted, but what was accepted did not stop kiddie scripts from looping, so I still have a slightly modified ftpd.

PF can handle state creations via stateful tracking options, but it only direct limits already established and valid sessions -- not killed via stateful "overload flush" -- via traffic shaping from queue management. You have choices here, such as simple packet priority, bps, or percentage of bps of a parent queue.

[plexter]

Hello again jggimi,

Interesting. State would not be 100% accurate though right? For example if I were to reboot the system the states logs would be reset to 0 I presume?

I would be interested in seeing any example how to implement this none the less though.

It would be nice if there were a more exact way of handling this either through another program or if PF/ALTQ were expanded to support it.

pass in on.... from $host ... port ... max bps number/days or something.

Anyway thank you for your input.

[jggimi]

Rebooting a router will obviously kill any state table within it. Even if a future PF development hooked bytes-transferred into stateful tracking, rebooting starts from scratch. As it does today with all of the stateful tracking knobs.

When I had a cron job tracking bytes transferred, it was a simple perl script that used the output from sysutils/pftop. The state table data from pftop are no longer accurate, as it has not caught up with all PF changes. This is why I recommended using pfctl instead -- it can be trusted to stay in sync with PF changes.

From memory, the script ran every 5 minutes, looked for inbound ftp control sessions (port 21) that had surpassed a total bytes transferred threshold (300KB). When found, the script would:

1. add the offending IP address to a PF table of blocked addresses
2. kill the state (dropping the session)
3. append the IP address to the flat-file backup of the PF table (for restoring the table on reboot)
4. add a record of the block to a DBMS table with timestamp, IP address, and reason
5. send me an e-mail.

[plexter]

Awesome

Now that you wrote it out it make a little more sense! Haha. I will play around with this idea.

Thanks a lot for your input. Good luck with that OBSD patch submission.

[jggimi]

Already submitted; already partially accepted.