Under Attack: Bandwidth throttling on 5.2.1?

Chris eagletree at hughes.net
Thu Sep 14 13:06:42 PDT 2006 

On Sep 14, 2006, at 12:53 PM, Panagiotis wrote:

> Chris wrote:
>
>> ...system, we could come back up I think and try ride out the  
>> attack.  I've never done this before but in an earlier thread I  
>> saw where you  configure a pipe such as:
>>
>> ipfw pipe 1 config bw 256Kbit/s
>> ipfw add pipe 1 tcp from 192.168.1.2 80
>>
>> then set sysctl.conf
>> net.inet.ip.fw.one_pass=1
>>
>> Is that is all that's necessary for this old a system or is there   
>> anything else. If this is correct, would this keep this fellow  
>> from  crashing
>
> To use traffic shaping with IPFW you have to compile the kernel  
> with the following options:
>
> options         DUMMYNET
> options         HZ=1000
>
> then you can add some lines like these to make your bandwidth limit  
> to work:
>
> #first flush all the previous pipes
> ipfw -q -f pipe flush
>
> ipfw pipe 1 config bw 256Kbit/s
> ipfw add pipe 1 tcp from any to any
>
> usually we use two pipes, one for download and one for upload so  
> you can try something like this:
>
>
> #first flush all the previous pipes
> ipfw -q -f pipe flush
>
> #upload bandwidth+download bandwidth=total bandwidth
> #pipe for upload
> ipfw pipe 1 config bw 128Kbit/s
> #pipe for download
> ipfw pipe 2 config bw 256Kbit/s
>
> server_port="20,21,80,443,995,...,etc"
> internal_network="192.168.0.0"
>
> #config upload
> ipfw add pipe 1 tcp from $internal_network to any $server_port
> #config upload
> ipfw add pipe 2 tcp from any $server_port to $internal_network
>
> The variables "server_port" and "internal_network" are examples of  
> course... :-)
> If you are running natd on your machine the you have to put rules  
> AFTER the divert natd rule like these:
> ipfw add pipe 1 tcp from {external_ip} to any $server_port
> ipfw add pipe 2 tcp from any $server_port to $internal_network
>
> The net.inet.ip.fw.one_pass=1 must be set if you want your traffic  
> to pass from pipes and not continue at next rules....
>
> Sorry for my bad english....
>
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions- 
> unsubscribe at freebsd.org"


Thank you very much. Even rejecting the requests by referer has only  
lessened the impact on the system and we are occasionally rebooting.  
It has not let up all night. I will implement. Thank you again.

Chris

More information about the freebsd-questions mailing list