ssh/scp filtering, iplen problem
jeremie le-hen
le-hen_j at epita.fr
Sun Sep 21 04:02:53 PDT 2003
> However, the obvious problem is that scp uses the ssh
> protocol, so it's on the same port. So my idea was to
> differentiate them by the size of the packets. The scp
> packets usually use the full MTU size (1500), while the
> interactive ssh packets are typically much smaller.
It was my first idea too for traffic scheduling, but when
I tried this tricky way I found that when I refreshed the
screen or execute "ls -lR", resulting ssh packets where
quite enormous (eg. the MSS size) and so they were
understood as being scp packets. They were therefore
scheduled as the latters, making the ssh session unusable.
I told myself that this problem should be quite common
and so there were necessarily some efficient workarounds.
And then I forsaw that ssh traffic which have a terminal
attached to it (eg. interactive ssh traffic) got the
"lowdelay" value in its IP TOS field, and the ssh traffic
which does not (usually scp or ssh with a command given
to be executed instead of a shell) got the "throughput"
value. IIRC, only SSH tunnels don't have any TOS value.
Finally, supposing you have 100KBit/s as bandwidth, you
can use this (in a real world, you would certainly take
care about traffic direction) :
# scp
pipe 1 config bw 90KBit/s
add pipe 1 tcp from any to any dst-port 22 iptos throughput
add pipe 1 tcp from any to any src-port 22 iptos throughput
# ssh
pipe 2 config bw 10KBit/s
add pipe 1 tcp from any to any dst-port 22 iptos lowdelay
add pipe 1 tcp from any to any src-port 22 iptos lowdelay
Regards,
--
Jeremie LE HEN aka TtZ/TataZ
jeremie.le-hen at epita.fr
More information about the freebsd-ipfw
mailing list