AW: [LARTC] Activate ingress policies on suse ent erpr ise serv e r 9
Title: AW: [LARTC] Activate ingress policies on suse ent erpr ise serv er 9 Hi, Only for my info: How can it be do via IPTables? Do you have an example or a howto? Thanks Gernot -Ursprüngliche Nachricht- Von: Andy Furniss [mailto:[EMAIL PROTECTED]] Gesendet: Mittwoch, 27. April 2005 00:30 An: Grames Gernot Cc: lartc@mailman.ds9a.nl Betreff: Re: [LARTC] Activate ingress policies on suse ent erpr ise serv er 9 Grames Gernot wrote: > > Hi, > > The problem is this is my goal to use the policier and not the iptables. > Because with the policier i think you can give more rules and restrictions > to the incoming tcpip traffic. You can limit with iptables aswell as drop. > > So I would prefer to use the policier and not the iptables. I just looked and AFAICT you will need a newer kernel than the 2.6.5 that your suse is using maybe suse do a more recent one - I don't know about doing kernels on suse - you'll have to see suse docs or ask on a suse group about doing kernels as you haven't done it before. The option that you need selected after doing a make menuconfig is packet actions in Qos and/or fair queuing under networking options under networking support under Device drivers. When you select that you can then select policing actions and it will be the new policer. I don't know where your current config is - but try and find it and use it as a base when doing a new kernel - you can load it from the make menuconfig menus. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] 2 internet connection problem :(
i want to put web and ftp traffic to eth2 and all other traffic to eth0 is it possible can anybody help me to do that You will probably need to set up additional routing tables via the "ip route" command. One table will need to be the machine default and one will need to be the table that FTP traffic uses. Each table would use the upstream gateway for the connection that you want them to use as their default route. You will probably have to MARK the traffic that qualifies as FTP traffic via iptables and use an "ip rule" to match on the fwmark stating that marked packets need to use the FTP routing table. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: Fwd: [LARTC] HTB Weird Shaping Question(Bug?). Please Help!
What you have said makes absolute sense to me. However, I only "reserved" 136Kbit for the VoIP traffic, there are 44Kbit available even we assume the 180Kbit is the maximum. Why doesn't HTB allocate the 44Kbit to the class for ping traffic, which only require rate 4Kbit and 0.5 Kbit? Some of this could be do to the fact that an ICMP echo request packet is extremely small. It is quite likely that your ADSL connection has a raw throughput of 256 kbps. On top of the ADSL signal is a signaling protocol, be it Frame Relay (older DSL circuits in my town are this) or ATM (newer DSL circuits), each have their own protocol overhead as well as minimum packet size. So if you are sending ICMP echo request packets that are very small, they will have to be wrapped in the network layer (OSI layer 2) packets and transmitted on the ADSL line (OSI layer 1) thus growing in size. It is quite likely that the size of the packets on physical layer are approaching 256 kbps and thus heating the physical maximum of your circuit. There is always the fact that ADSL is half duplex where as SDSL is full duplex. You would see this as a problem if you were trying to download something and upload something at the same time. Your circuit can only do one thing at a time thus somethi ng will have to wait. You will see this if you are able to FTP a large file out to a system on the net fast, close to your maximum, yet your VoIP (SIP?) traffic will start having problems at less than the maximum rate that the physical link can handle. Any one care to support or refute this? I'm mainly going off of what I have read and discussed with others. I'm presently going after CCNA and this is the answer that I would give to a client, but if there is something better or there is a discussion that is to be had I'm game for it. Someone please correct me as I want to learn more. ;) Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] IP Tunneling
[EMAIL PROTECTED] wrote: Hello I have /25 addressed on a box (virtual devices on eth0) and I want to tunnel some of these addresses to my home network. One address to my gateway (a.b.c.d, external IP) and one address to my internal network (192.168.0.0/24-style). I will use the tunnels for irc, smtp and surfing. What protocol and which technique is easiest and best to use? One more thing. I don't want to set up a bridge on eth0 at the /25-box (like the OpenVPN-howto wants me to do). The configuration on that box have to be intact if it's possible, apart from the addresses I will tunnel. Have you considered trying to get SSH to tunnel things for you? I don't know if this will meet your needs or not. If not you are looking at something like a GRE tunnel, IP-IP tunnel, PPTP tunnel, or IPSec tunnel. Save for SSH, all of these options are rather involved and complex to set up. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] IP2P & Skype question
Yes, I too have been reading these things asking myself why one would allow users such open access. One reason, of course, is that it is difficult to allow some http but not other, so if the port is 80, it pretty much has to be OK. So how would squid (or anything else except perhaps Level 7) know that this particular connection is A Bad Thing? One word, er name, Squid (Caching Proxy). Squid is *WONDERFUL* Squid has saved my life *SO* many times. The ACL system, though difficult to understand at first, is extremely flexible and easy to work with once you get down Squid's syntax. I can easily define an ACL as such: acl my_acl_name dstdomain .domain_I_dont_like.tld http_access deny my_acl_name Squid works completely inside of the HTTP (layer 7) protocol, or FTP protocol, or many other protocols. These are just some of the benefits of using an application layer gateway. I have been successful at limiting the number of FTP connections per user using iptables' connlimit and helper. That's where I'd start. And if three turned out to be too many, I'd reduce connlimit to 2 for HTTP and 1 for FTP. iptables -N HTTP iptables -A HTTP -p tcp -m connlimit --connlimit-above 3 -j DROP iptables -A HTTP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A HTTP -j RETURN If the traffic that you are trying to connlimit is internal to your LAN I would recommend that you REJECT the traffic as this will prevent the client user agents from having to time out. iptables -A FORWARD -p tcp --dport 80 -j HTTP iptables -A FORWARD -p tcp --sport 80 -j HTTP iptables -A FORWARD -m helper --helper ftp -j HTTP In conjunction with my ACL (posted here a while back; it limits specific users to specific ports), the above would not be total deny, but it sure would put a dent in abuse. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] IP2P & Skype question
What fun it must be being a netadmin - what don't you want to block, by which I mean wouldn't it be easier to block everything and run squid/mail server. Yes, it *IS* *MUCH* easier to block everything and only allow out the traffic that you want. Unfortunetly *MANY* of my clients will not let me do that as they don't see any security problem(s) in what they presently have. It is my job (consultant) to enlighten my clients to the potential problems that do exist and to prevent / fix them to the best of my ability on their networks. I am a Consultant / Systems Administrator for a small company with many clients (circa 50) with an email user base of something around 300 on my main mail server (mostly my client's email). I have to run my network at the office and the networks at my clients. I have any thing ranging from DOS 6.22 & 98 clients on Novell NetWare 4.11 IPX / IP networks, to M$ Windows 2000 with 2k and XP clients, to unix networks. I get the gauntlet and thus have to deal with a LOT of crap. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] IP2P & Skype question
Andy Furniss wrote: > > Taylor, Grant wrote: > >> Regarding yahoo messenger, I have not looked at this for a while. As I > >> understood, it used a single outgoing port and if blocked - end of > >> yahoo Or has this changed since I last looked? > > > > > > This must have changed as Yahoo will try to connect 4 different servers > > on 8 different ports for basic IM use. If you want to use other > > features like the webcam, file shareing, or voice chat there are > > different servers and different ports that your client will connect to. > > Take a look at > > http://help.yahoo.com/help/us/sbc/messenger/signin/signin-02.html if you > > want to see Yahoo's definition of what the client does. I wrote a RegEx > > of the various host names that Yahoo will connect to, > > "((scs(|a-z)|filetransfer).msg|v(0-99).(vc|vip).sc(a-z|0-99)|webcam).yahoo.com". > > If I could implement a match in DNS for this RegEx I would do so to > > prevent computers on my networks from finding things. > > What fun it must be being a netadmin - what don't you want to block, by > which I mean wouldn't it be easier to block everything and run > squid/mail server. > > Andy. Yes, I too have been reading these things asking myself why one would allow users such open access. One reason, of course, is that it is difficult to allow some http but not other, so if the port is 80, it pretty much has to be OK. So how would squid (or anything else except perhaps Level 7) know that this particular connection is A Bad Thing? I have been successful at limiting the number of FTP connections per user using iptables' connlimit and helper. That's where I'd start. And if three turned out to be too many, I'd reduce connlimit to 2 for HTTP and 1 for FTP. iptables -N HTTP iptables -A HTTP -p tcp -m connlimit --connlimit-above 3 -j DROP iptables -A HTTP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A HTTP -j RETURN iptables -A FORWARD -p tcp --dport 80 -j HTTP iptables -A FORWARD -p tcp --sport 80 -j HTTP iptables -A FORWARD -m helper --helper ftp -j HTTP In conjunction with my ACL (posted here a while back; it limits specific users to specific ports), the above would not be total deny, but it sure would put a dent in abuse. gypsy ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] latest code
"Ethy H. Brito" wrote: > > On Tue, 26 Apr 2005 07:07:27 -0700 > gypsy <[EMAIL PROTECTED]> wrote: > > > > Im trying to download the iproute2 source code from the freshmeat.net. > > > I'm having problem downloading the latest code. Is this a known issue > > > or just me getting this problem. Is version > > > iproute2-2.6.11-050330.tar.gz a good version instead of the latest? > > I apologize for my ignorance but the -2.6.11- part has something to do with > kernel version or is it just a coincidence? Yes, it is coincidence. No, it has nothing whatsoever to do with kernel version. No apology, please; this was a very valid question. > Regards > > -- > > Ethy H. Brito /"\ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] A general view of the TC
> Is there any library that i can hook on at runtime in order to create > a qdisc dinamically from a program or if i want to do this I have to > call the "tc" command? > The disadvantage of calling the tc command from a process is that it > creates an other process and this slows things up. http://www.coverfire.com/lql/ -- damjan | ÐÐÐÑÐÐ This is my jabber ID --> [EMAIL PROTECTED] <-- not my mail address!!! ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Fwd: [LARTC] HTB Weird Shaping Question(Bug?). Please Help!
Oops, forgot to post to the group... -- Forwarded message -- From: Leo Huang <[EMAIL PROTECTED]> Date: Apr 27, 2005 10:46 AM Subject: Re: [LARTC] HTB Weird Shaping Question(Bug?). Please Help! To: Andy Furniss <[EMAIL PROTECTED]> Thanks Andy, What you have said makes absolute sense to me. However, I only "reserved" 136Kbit for the VoIP traffic, there are 44Kbit available even we assume the 180Kbit is the maximum. Why doesn't HTB allocate the 44Kbit to the class for ping traffic, which only require rate 4Kbit and 0.5 Kbit? Thanks again, Leo On 4/27/05, Andy Furniss <[EMAIL PROTECTED]> wrote: > Leo wrote: > > > In the first test, I limit the SUBCLASS_OUTRATE to 200Kbit. Both pings > > are around 20ms before I start the VoIP services. However, once I start > > the services, the pings jump up to 1800ms. > > > > In the second test, I limit the SUBCLASS_OUTRATE to 180Kbit. The pings > > jump up to 80ms, which is perfectly acceptable. > > > > After a few tests, I noticed that 180Kbit is a magic number, anything > > exceed that will generate 1800ms pings, and below it is 80ms. > > > > In my senario, the weird point is that the determining factor is the > > ceiling, but not the rate. That's the "rate" for other class doesn't > > seem to give bandwidth to packets in the corresponding class unless the > > ceil for the 1:110 is low enough! > > > > I attached my script and "tc -s class show" below. I truncated part of > > the script and the results to make it short. > > > > Please shine me a light! > > It's because the link is dsl and there are lots of overheads on each > packet (and they vary with packet size). HTB rates are based on ip > packet length and with lots of small packets like voip the difference > can be alot. > > The 1800ms latency is not caused by a queue within htb it's in your > modem/router because it can't send >180kbit ip level for voip. > > You can patch HTB and TC to make things perfect - you could set a ceil > very close to your sync rate then. You need to know exactly what type of > dsl you are on to find your overhead though. If your modem/router gives > ATM cell counts you can deduce it from those. > > There is a very good thesis and patch info here - > > http://www.adsl-optimizer.dk/ > > Andy. > > ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] IP2P & Skype question
Taylor, Grant wrote: Regarding yahoo messenger, I have not looked at this for a while. As I understood, it used a single outgoing port and if blocked - end of yahoo Or has this changed since I last looked? This must have changed as Yahoo will try to connect 4 different servers on 8 different ports for basic IM use. If you want to use other features like the webcam, file shareing, or voice chat there are different servers and different ports that your client will connect to. Take a look at http://help.yahoo.com/help/us/sbc/messenger/signin/signin-02.html if you want to see Yahoo's definition of what the client does. I wrote a RegEx of the various host names that Yahoo will connect to, "((scs(|a-z)|filetransfer).msg|v(0-99).(vc|vip).sc(a-z|0-99)|webcam).yahoo.com". If I could implement a match in DNS for this RegEx I would do so to prevent computers on my networks from finding things. What fun it must be being a netadmin - what don't you want to block, by which I mean wouldn't it be easier to block everything and run squid/mail server. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] HTB Weird Shaping Question(Bug?). Please Help!
Leo wrote: In the first test, I limit the SUBCLASS_OUTRATE to 200Kbit. Both pings are around 20ms before I start the VoIP services. However, once I start the services, the pings jump up to 1800ms. In the second test, I limit the SUBCLASS_OUTRATE to 180Kbit. The pings jump up to 80ms, which is perfectly acceptable. After a few tests, I noticed that 180Kbit is a magic number, anything exceed that will generate 1800ms pings, and below it is 80ms. In my senario, the weird point is that the determining factor is the ceiling, but not the rate. That's the "rate" for other class doesn't seem to give bandwidth to packets in the corresponding class unless the ceil for the 1:110 is low enough! I attached my script and "tc -s class show" below. I truncated part of the script and the results to make it short. Please shine me a light! It's because the link is dsl and there are lots of overheads on each packet (and they vary with packet size). HTB rates are based on ip packet length and with lots of small packets like voip the difference can be alot. The 1800ms latency is not caused by a queue within htb it's in your modem/router because it can't send >180kbit ip level for voip. You can patch HTB and TC to make things perfect - you could set a ceil very close to your sync rate then. You need to know exactly what type of dsl you are on to find your overhead though. If your modem/router gives ATM cell counts you can deduce it from those. There is a very good thesis and patch info here - http://www.adsl-optimizer.dk/ Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Activate ingress policies on suse ent erpr ise serv er 9
Grames Gernot wrote: Hi, The problem is this is my goal to use the policier and not the iptables. Because with the policier i think you can give more rules and restrictions to the incoming tcpip traffic. You can limit with iptables aswell as drop. So I would prefer to use the policier and not the iptables. I just looked and AFAICT you will need a newer kernel than the 2.6.5 that your suse is using maybe suse do a more recent one - I don't know about doing kernels on suse - you'll have to see suse docs or ask on a suse group about doing kernels as you haven't done it before. The option that you need selected after doing a make menuconfig is packet actions in Qos and/or fair queuing under networking options under networking support under Device drivers. When you select that you can then select policing actions and it will be the new policer. I don't know where your current config is - but try and find it and use it as a base when doing a new kernel - you can load it from the make menuconfig menus. Andy. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] IP2P & Skype question
Regarding yahoo messenger, I have not looked at this for a while. As I understood, it used a single outgoing port and if blocked - end of yahoo Or has this changed since I last looked? This must have changed as Yahoo will try to connect 4 different servers on 8 different ports for basic IM use. If you want to use other features like the webcam, file shareing, or voice chat there are different servers and different ports that your client will connect to. Take a look at http://help.yahoo.com/help/us/sbc/messenger/signin/signin-02.html if you want to see Yahoo's definition of what the client does. I wrote a RegEx of the various host names that Yahoo will connect to, "((scs(|a-z)|filetransfer).msg|v(0-99).(vc|vip).sc(a-z|0-99)|webcam).yahoo.com". If I could implement a match in DNS for this RegEx I would do so to prevent computers on my networks from finding things. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] SQLiaison E-Mail Virus Alert
SQLiaison Mail Server: GroupShield™ Alert The email server has discovered a problem with the following email. Please note that the sender of the email will not be notified with this message. > More information : Date/Time sent: 26 Apr 2005 14:44:03 Subject line: [LARTC] Re: From: [EMAIL PROTECTED] To: LARTC Action taken: Deleted Virus Found: W32/[EMAIL PROTECTED] Reason: Anti-Virus Rule Group: For additional information, please contact SQLiaison Support Team [EMAIL PROTECTED] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] 2 internet connection problem :(
-- -| external ip eth0 | -- -- | |--- | ---| Internal IP eth1| -- | |-- -| external Ip eth2 | -- -- i want to put web and ftp traffic to eth2 and all other traffic to eth0 is it possible can anybody help me to do that here is my config iptables -t nat -A POSTROUTING -o eth2 -s 192.168.0.0/0 -d ! 192.168.0.0/16 -p tcp --dport 80 -j SNAT --Extermal IP on Eth2 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/0 -d ! 192.168.0.0/16 -j SNAT --External IP on Eth0 213.32.208.2480.0.0.0255.255.255.248 U 0 00 eth0 213.32.208.2480.0.0.0 255.255.255.248 U 0 0 0 ipsec0 192.168.5.0 213.32.208.249 255.255.255.0 UG0 0 0 ipsec0 217.10.130.00.0.0.0 255.255.255.0 U 0 00 eth2 192.168.128.0 213.32.208.249 255.255.255.0 UG0 0 0 ipsec0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth1 192.168.32.0 213.32.208.249255.255.240.0 UG0 0 0 ipsec0 127.0.0.00.0.0.0 255.0.0.0 U 0 00 lo 0.0.0.0 213.32.208.249 0.0.0.0 UG1 0 0 eth0 0.0.0.0 217.10.130.10.0.0.0 UG2 00 eth2 Thanks is Advance ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] (no subject)
-- -| external ip eth0 | -- -- | |--- | ---| Internal IP eth1| -- | |-- -| external Ip eth2 | -- -- i want to put web and ftp traffic to eth2 and all other traffic to eth0 is it possible can anybody help me to do that here is my config iptables -t nat -A POSTROUTING -o eth2 -s 192.168.0.0/0 -d ! 192.168.0.0/16 -p tcp --dport 80 -j SNAT --Extermal IP on Eth2 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/0 -d ! 192.168.0.0/16 -j SNAT --External IP on Eth0 213.32.208.2480.0.0.0255.255.255.248 U 0 00 eth0 213.32.208.2480.0.0.0 255.255.255.248 U 0 0 0 ipsec0 192.168.5.0 213.32.208.249 255.255.255.0 UG0 0 0 ipsec0 217.10.130.00.0.0.0 255.255.255.0 U 0 00 eth2 192.168.128.0 213.32.208.249 255.255.255.0 UG0 0 0 ipsec0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth1 192.168.32.0 213.32.208.249255.255.240.0 UG0 0 0 ipsec0 127.0.0.00.0.0.0 255.0.0.0 U 0 00 lo 0.0.0.0 213.32.208.249 0.0.0.0 UG1 0 0 eth0 0.0.0.0 217.10.130.10.0.0.0 UG2 00 eth2 Thanks is Advance ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] SQLiaison E-Mail Virus Alert
SQLiaison Mail Server: GroupShield™ Alert The email server has discovered a problem with the following email. Please note that the sender of the email will not be notified with this message. > More information : Date/Time sent: 26 Apr 2005 10:37:40 Subject line: [LARTC] Re: From: [EMAIL PROTECTED] To: LARTC Action taken: Deleted Virus Found: W32/[EMAIL PROTECTED] Reason: Anti-Virus Rule Group: For additional information, please contact SQLiaison Support Team [EMAIL PROTECTED] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] latest code
Grace Baldonasa wrote: > > Hi, > > Im trying to download the iproute2 source code from the freshmeat.net. > I'm having problem downloading the latest code. Is this a known issue > or just me getting this problem. Is version > iproute2-2.6.11-050330.tar.gz a good version instead of the latest? 050330 _is_ the latest! > Thanks. > > grace Get it from here: http://developer.osdl.org/dev/iproute2/download/ latest: http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.11-050330.tar.gz gypsy ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] IP2P & Skype question
Thanks Everyone who is participating in this discussion as it has thrown some interesting points and some quite scary ones The easiest (If their is one) way to do this might be to snoop the traffic from a client as it logs on and try to classify that. I did make a feeble attempt to block this by snooping the login process and try blocking the IP's that the client tried to authenticate with, but after about 30, I realized I did not know how long the piece of string was and gave up. I will need to look into the ethereal howto and see what I can find, unless anyone else has done this and had any form of success!! Regarding yahoo messenger, I have not looked at this for a while. As I understood, it used a single outgoing port and if blocked - end of yahoo Or has this changed since I last looked? Thanks for now. Gary - Taylor, Grant wrote: After doing some reading (http://www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf) it looks like the only easy way to detect and stop Skype communications is through he connection to the Skype login server and treat the traffic coming from that host as if is Skype traffic. If you are wanting to classify Skype traffic I'm not sure how to help. However if you are just wanting to prevent Skype from being able to communicate on your network you may be able to look for the traffic that the Skype client sends to the Skype Login Server as it tries to login to the Skype network. I have a feeling that if you DROPed this traffic the Skype client would not be able to communicate with the Skype network and thus block this traffic. Any thing beyond this is going to be extremely difficult to block as Skype is a generational enhanced protocol from the developers of Kazaa and thus going to be very hard to stop. IMHO Skype will make blocking Yahoo Instant Messenger look easy. This is very scary to me, a network administrator. :( I have a feeling the real way to deal with this will be to write a Skype client that will connect to the network and find as many Skype Super Nodes as it can and add the IPs of the SNs as well as the corresponding port (as it is possibly dynamic) and add them to an IPSet via an external program. unfortunately this is something that will have to be maintained via a cron job or something else and thus not easy. I have a feeling that we are going to see more and more things like this on the net as more and more people are trying to fight security thus we SAs have to work harder and harder. If you try to make the world more idiot proof the universe will build a better idiot. The universe is winning. Grant. . . . Andreas Klauer wrote: Okay. That's details about the protocol I have no clue about. If only one packet can be matched, I'd probably try to squeeze as much information out of this one as possible (source and destination address or whatever can be obtained) and then shape using this criteria. If you're lucky, you know this stuff beforehand, and can use static shaping/filter rules for that, otherwise you'll have to whip up a more dynamic solution. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] filtering
Hi Grace, I guess the best(most flexible) way is to use iptables(netfilter) to mark the packets and then use tc filter to match the marks. "Traffic-Control-HOWTO" should answer most of your questions. http://linux-ip.net/articles/Traffic-Control-HOWTO/index.html Leo Grace Baldonasa wrote: > Hi, > > Can I use mac address as classifiers in the filters? > > Grace > ___ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] HTB Weird Shaping Question(Bug?). Please Help!
Hi all, I have a script that allocates an ADSL(1500K/256K) bandwidth to three users. My idea is to allow each user having a guarentee rate, while each one is allowed to burst to the max rate while no one is using the bandwidth. I use imq0 for uplink (for some mobility reason) and imq1 for downlink. Everything works smoothly except for VoIP traffic. There are three VoIP phones attached to a computer. They are set up for different providers. It is possible that all of them are engaged at the same time. And it does happen that all of them are using G711u codec, which consuming around 110kbit each for each direction (i.e. the total bandwidth consumed is larger than the physical link rate 256K). In this situation, it slowed down the whole network affecting all classes, which should not be happening. I have done a bit of testing, and isolated the problem to the uplink congestion. Please refer to the script I attached blow. I classify all the udp traffic(generated by the VoIP applications) to 1:110. I continously generate ping traffic on the computer and the router to a remote computer in the ISP network. The pings from the computer are classified as 1:105, while the pings from the router are classified as 1:800. The max uplink speed is 220Kbit determined by observation. In the first test, I limit the SUBCLASS_OUTRATE to 200Kbit. Both pings are around 20ms before I start the VoIP services. However, once I start the services, the pings jump up to 1800ms. In the second test, I limit the SUBCLASS_OUTRATE to 180Kbit. The pings jump up to 80ms, which is perfectly acceptable. After a few tests, I noticed that 180Kbit is a magic number, anything exceed that will generate 1800ms pings, and below it is 80ms. In my senario, the weird point is that the determining factor is the ceiling, but not the rate. That's the "rate" for other class doesn't seem to give bandwidth to packets in the corresponding class unless the ceil for the 1:110 is low enough! I attached my script and "tc -s class show" below. I truncated part of the script and the results to make it short. Please shine me a light! Thanks heaps, Leo P.S. My router is Linksys WRT54G. I've tried top, it doesn't LOOK LIKE a CPU load problem. Script: #!/bin/sh #ADDRs ROUTER=192.168.1.1 LEO_LAP_WL=192.168.1.31 LEO_LAP=192.168.1.32 LEO_DES=192.168.1.33 PONY_DES=192.168.1.34 ERIC_DES=192.168.1.35 ERIC_LAP=192.168.1.36 # Interfaces OUTQ=imq0 INQ=imq1 # Speed Rates ROOT_OUTRATE=200kbit ROOT_INRATE=1310kbit CLASS_OUTRATE=200kbit CLASS_INRATE=1310kbit SUBCLASS_OUTRATE=180kbit SUBCLASS_INRATE=1310kbit # Init Interfaces ip link set ${INQ} up ip link set ${OUTQ} up iptables -t mangle -F iptables -t mangle -A POSTROUTING -o ppp0 -j IMQ --todev 0 iptables -t mangle -A PREROUTING -i ppp0 -j IMQ --todev 1 #Outbound Traffic tc qdisc del dev ${OUTQ} root tc qdisc add dev ${OUTQ} root handle 1: htb default 800 tc class add dev ${OUTQ} parent 1: classid 1:1 htb rate ${ROOT_OUTRATE} #Leo tc class add dev ${OUTQ} parent 1:1 classid 1:100 htb rate 17kbps ceil ${CLASS_OUTRATE} prio 0 tc class add dev ${OUTQ} parent 1:100 classid 1:105 htb rate 5kbps ceil ${SUBCLASS_OUTRATE} prio 3 # Other tc class add dev ${OUTQ} parent 1:100 classid 1:110 htb rate 4kbps ceil ${SUBCLASS_OUTRATE} prio 0 # VoIP tc class add dev ${OUTQ} parent 1:100 classid 1:120 htb rate 1kbps ceil ${SUBCLASS_OUTRATE} prio 0 # SSH tc class add dev ${OUTQ} parent 1:100 classid 1:130 htb rate 1kbps ceil ${SUBCLASS_OUTRATE} prio 1 # Telnet tc class add dev ${OUTQ} parent 1:100 classid 1:140 htb rate 2kbps ceil ${SUBCLASS_OUTRATE} prio 1 # TermSrv tc class add dev ${OUTQ} parent 1:100 classid 1:150 htb rate 4kbps ceil ${SUBCLASS_OUTRATE} prio 2 # Mail #Pony tc class add dev ${OUTQ} parent 1:1 classid 1:200 htb rate 5kbps ceil ${CLASS_OUTRATE} prio 4 #Eric tc class add dev ${OUTQ} parent 1:1 classid 1:300 htb rate 5kbps ceil ${CLASS_OUTRATE} prio 4 #Other tc class add dev ${OUTQ} parent 1:1 classid 1:800 htb rate 0.5kbps ceil ${CLASS_OUTRATE} prio 5 tc filter add dev ${OUTQ} parent 1:0 protocol ip handle 1 fw classid 1:105 tc filter add dev ${OUTQ} parent 1:0 protocol ip handle 2 fw classid 1:200 tc filter add dev ${OUTQ} parent 1:0 protocol ip handle 3 fw classid 1:300 tc filter add dev ${OUTQ} parent 1:0 protocol ip handle 4 fw classid 1:800 tc filter add dev ${OUTQ} parent 1:0 protocol ip handle 5 fw classid 1:110 tc filter add dev ${OUTQ} parent 1:0 protocol ip handle 6 fw classid 1:120 tc filter add dev ${OUTQ} parent 1:0 protocol ip handle 7 fw classid 1:130 tc filter add dev ${OUTQ} parent 1:0 protocol ip handle 8 fw classid 1:140 tc filter add dev ${OUTQ} parent 1:0 protocol ip handle 9 fw classid 1:150 tc qdisc add dev ${OUTQ} parent 1:105 handle 105: pfifo limit 5 tc qdisc add dev ${OUTQ} parent 1:200 handle 200: pfifo limit 5 tc qdisc add dev ${OUTQ} parent 1:300 handle 300: pfifo limit 5 tc qdisc add dev ${OUTQ} parent 1:800 handle 800: pfifo limit 5 tc qdi
[LARTC] IP Tunneling
Hello I have /25 addressed on a box (virtual devices on eth0) and I want to tunnel some of these addresses to my home network. One address to my gateway (a.b.c.d, external IP) and one address to my internal network (192.168.0.0/24-style). I will use the tunnels for irc, smtp and surfing. What protocol and which technique is easiest and best to use? One more thing. I don't want to set up a bridge on eth0 at the /25-box (like the OpenVPN-howto wants me to do). The configuration on that box have to be intact if it's possible, apart from the addresses I will tunnel. Regards Jonathan ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] latest code
Hi, Im trying to download the iproute2 source code from the freshmeat.net. I'm having problem downloading the latest code. Is this a known issue or just me getting this problem. Is version iproute2-2.6.11-050330.tar.gz a good version instead of the latest? Thanks. grace ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] IP2P & Skype question
Good idea, but there is a problem: Skype uses a proprietary and closed protocol. This makes it hard to come up with a modified client like the one you've described, as long as you are not experienced with reverse engineering. I never said that it would be easy. It's just a proposed idea. I'm thinking I'm going to have to do something similar to this with Yahoo IM. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] IP2P & Skype question
Hi. Taylor, Grant wrote: I have a feeling the real way to deal with this will be to write a Skype client that will connect to the network and find as many Skype Super Nodes as it can and add the IPs of the SNs as well as the corresponding port (as it is possibly dynamic) and add them to an IPSet via an external program. Good idea, but there is a problem: Skype uses a proprietary and closed protocol. This makes it hard to come up with a modified client like the one you've described, as long as you are not experienced with reverse engineering. Bye, Mike ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc