Re: [LARTC] Allowing CVS, RCP & SCP
bert hubert said: > On Thu, Jul 04, 2002 at 02:01:07PM +0100, Alex Bennee wrote: >> A. Peter Mee said: >> > >> > Could someone give me some pointers to achieving stable cvs and rcp >> > access through a fairly restrictive firewall. >> > >> >> CVS isn't a network protocol. You generally run it using remote shell >> tools, in the CVS manual it allows you to specifify how with the >> CVS_RSH evrionment variable. > > CVS 'pserver' lives on port 2401. Use netstat -an to see which ports > have LISTENing sockets, and open up those ports. Quite correct of course. There are numerous ways of accessing remote CVS repositries (see http://www.cvshome.org/docs/manual/cvs_2.html#SEC26). CVS over ssh seems to be the preffered method of large development communities (sourceforge and savanah at least). Once you've got ssh working you don't need to do any additional (network level) work to get CVS running. I would generally be wary of just opening up ports that are listening without being aware of the security implications of using that protocol. The CVS documentation suggests Kerboros over pserver for security. ssh works just as well (the documention only refers to rsh which isecure but replaceable by ssh). Alex www.bennee.com/~alex/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Allowing CVS, RCP & SCP
A. Peter Mee said: > Hi all, > > Could someone give me some pointers to achieving stable cvs and rcp > access through a fairly restrictive firewall. I'm using a 2.4.18 > kernel which defaults to dropping everthing, then punching holes where > needed and SNATting the internal network. Single-socket protocols > (http, smtp, pop3) do currently function correctly through the firewall > so I'm assuming the cvs and rcp/scp protocols are not single-socket. > The ftp and irc protocols also function correctly through the firewall. ssh is a single socket protocol. If you can ssh through your firewall then you can use scp. You can even tunnel other ports over the single ssh connection (e.g. X). CVS isn't a network protocol. You generally run it using remote shell tools, in the CVS manual it allows you to specifify how with the CVS_RSH evrionment variable. r* tools are bad. Do you need them? > If something more specific about my configuration is needed, I'll be > happy to oblige. ;-) > > TIA > > Cheers, > > Pete Mee > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ Alex www.bennee.com/~alex/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] TCP/UDP traffic priority.
Carles Xavier Munyoz Baldó said: > Hi, > Is it possible with Linux Traffic Control system to give priority to > some TCP/UDP traffic based upon the port number ? Yes. You can either use tc's own packet classification or mark packets with an iptables/ipchains to route packets through differnt traffic shapers. See the Section 9 of the lartc HOWTo: http://lartc.org/HOWTO//cvs/2.4routing/html/c427.html For an intro to the options you have available. Alex www.bennee.com/~alex/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Beginner
ewan said: > >> #Lan--Internal Firewall--- External firewall -- Internet >> | >> | >>webserver > > > what purpose does the internal firewall serve? just plug everything > into one firewall and write rules accordingly There is nothing wrong with having multiple layers of firewalls. It means your haxor has several layers of security to beat - security through depth. But you can just use iptables on your internal firewall as well. No point learning new semantics :-) Alex www.bennee.com/~alex/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] (no subject)
Emil Terziev said: > Hi , > I need to limit traffic from my LAN (172.16.1.x/24) > every IP. > > I have BG_Traffic (couple LANs 212.50.16.0/24, > 217.9.231.0/24, 195.24.39.0/24) > and I have not_BG_Traffic (rest of Internet world). > I want for example > IP 172.16.1.10 to have 10K for BG_Traffic and 25K for > not_BG_Traffic. > IP 172.16.1.11 to have 6K for BG_Traffic and 64K for > not_BG_Traffic. > IP 172.16.1.12 to have 8K for BG_Traffic and 10K for > not_BG_Traffic. > > Can help me? Im newer with tc&iproute and this is > very difficult for me. If you look through the archive for this mailing list for an htb/tc script you should an example of how to classify traffic useing iptables for tc controlled shapers. As you want hard limits you may not want to use the prio settings. Obviously you wont want to use the iptables classifications I use (which go by traffic type) but use network matches instead. You should also read the htb manual (http://luxik.cdi.cz/~devik/qos/htb/) as it contains some useful worked examples that are pretty clear about the paremeters for htb shapers. Alex www.bennee.com/~alex/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] A tc htb/iptables rate control script for ADSL
Martin Devera said: > Hi, > I'm happy that HTB gained so much popularity ;) Only > one hint for you - you can completely avoid all these > tc filter add fw ... > You can use only one > tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 1 fw > > and set classid directly in iptables like: > iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 0x10010 > iptables -t mangle -A to-dsl -p tcp --sport 24 -j MARK --set-mark 0x10020 > > and so on .. > devik Thanks for that it should make my script a bit less cumbersome. I have also realised that at the moment the bandwidth is being shared out in proportion to allocated bandwidths which is not quite what I was after. Having re-read your manual pages I've now added "prio" statements to each htb class so that if I'm downloading from inside I get all the bandwidth I need at the expense of the uploads, rather tha a 2:1 split. I got it the second time, the first time I wasn't sure if prio 0 was the highest or lowest priority. The other thing that is current sub-optimal is the division of long uploads vs short uploads. I've attempted to ensure that normal webpages are downloaded as fast as possible with the burst parameter but if someone is downloading a large file from my website all other web users suffer. I've got to do some more reading but my current plan involves the iptable connection tracking. I'm not sure if iptables does this already but if I can match and tag a packet based on the time of the connection I can still allow new connections to get priority of long lived downloads. This may involve writting a new kernel module as a netfilter extension but it would be the iceing on the cake to my setup :-) Alex www.bennee.com/~alex/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Using tc with iptables marking.
Hi, Excuse the long first post but I thought I had better annotate the script I have so far. I have been looking for a solution for keeping my "interactive" browsing whilst people hammer my web-server (hosted inside the dsl, port forwarded from the router). I've looked at scripts like the wondershapper but I decided to roll my own as I'm already reasonably au- fait with the iptables toolchain. The problem is it doesn't work as expected but I may be missing something. Onwards with the config: First I set-up iptables to mark outgoing packets (I don't bother with incomming as ADSL is asymetric and its the upstream interface that saturates) # Setup POSTROUTING marking on dsl output # needed for QoS type hacks # 1 - outgoing interactive (ssh) # 2 - outgoing file stuff (www) # 3 - incomming interactive (ssh) # 4 - incomming personal use (https, http-tunnel) # 5 - incomming web # 6 - incomming mail # 7 - everything else # create the to-dsl table (we can only shape outgoing traffic) /sbin/iptables -t mangle -N to-dsl # For outgoing packets we need to mark stuff /sbin/iptables -t mangle -A to-dsl -p tcp --dport 22 -j MARK --set-mark 1 /sbin/iptables -t mangle -A to-dsl -p tcp --dport 80 -j MARK --set-mark 2 /sbin/iptables -t mangle -A to-dsl -p tcp --sport 24 -j MARK --set-mark 3 /sbin/iptables -t mangle -A to-dsl -p tcp --sport 443 -j MARK --set-mark 4 /sbin/iptables -t mangle -A to-dsl -p tcp --sport 8890 -j MARK --set-mark 4 /sbin/iptables -t mangle -A to-dsl -p tcp --sport 80 -j MARK --set-mark 5 /sbin/iptables -t mangle -A to-dsl -p tcp --sport 25 -j MARK --set-mark 6 # turn it on /sbin/iptables -t mangle -A POSTROUTING -o ppp0 -j to-dsl This bit works great. I can do "watch -n 1 -d iptables -t mangle -nvL" and watch packets get marked to the different rules as I expect. Then I configure the tc bits thusly: # root qdisc, shape the upload bandwidth to 256kbits tc qdisc add dev ppp0 root handle 1: cbq avpkt 1000 bandwidth 256kbit rate 240kbit #create the prioitiser tc qdisc add dev ppp0 parent 1:0 handle 2: prio bands 6 priomap 0 1 2 3 4 5 # create sfq's for each class tc qdisc add dev ppp0 parent 2:1 handle 10: sfq tc qdisc add dev ppp0 parent 2:2 handle 20: sfq tc qdisc add dev ppp0 parent 2:3 handle 30: sfq tc qdisc add dev ppp0 parent 2:4 handle 40: sfq tc qdisc add dev ppp0 parent 2:5 handle 50: sfq tc qdisc add dev ppp0 parent 2:6 handle 60: sfq #and now the filters tc filter add dev ppp0 parent 2:0 protocol ip prio 1 handle 1 fw flowid 10:0 tc filter add dev ppp0 parent 2:0 protocol ip prio 2 handle 2 fw flowid 20:0 tc filter add dev ppp0 parent 2:0 protocol ip prio 3 handle 3 fw flowid 30:0 tc filter add dev ppp0 parent 2:0 protocol ip prio 4 handle 4 fw flowid 40:0 tc filter add dev ppp0 parent 2:0 protocol ip prio 5 handle 5 fw flowid 50:0 tc filter add dev ppp0 parent 2:0 protocol ip prio 6 handle 6 fw flowid 60:0 But when I do a "tc -s -d qdisc ls" qdisc sfq 60: dev ppp0 quantum 1478b limit 128p flows 128/1024 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 50: dev ppp0 quantum 1478b limit 128p flows 128/1024 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 40: dev ppp0 quantum 1478b limit 128p flows 128/1024 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 30: dev ppp0 quantum 1478b limit 128p flows 128/1024 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 20: dev ppp0 quantum 1478b limit 128p flows 128/1024 Sent 0 bytes 0 pkts (dropped 0, overlimits 0) qdisc sfq 10: dev ppp0 quantum 1478b limit 128p flows 128/1024 Sent 90818614 bytes 64922 pkts (dropped 0, overlimits 0) qdisc prio 2: dev ppp0 bands 6 priomap 0 1 2 3 4 5 0 0 1 1 1 1 1 1 1 1 Sent 92824232 bytes 66370 pkts (dropped 0, overlimits 0) qdisc cbq 1: dev ppp0 rate 240Kbit cell 8b (bounded,isolated) prio no- transmit/8 weight 240Kbit allot 1478b level 0 ewma 5 avpkt 1000b maxidle 1016us Sent 94712662 bytes 67725 pkts (dropped 0, overlimits 0) borrowed 0 overactions 0 avgidle 25026 undertime 0 I suspect the problem is due to me misunderstanding the way prio and priomap work in relation to the filters. I've been looking for any good examples that show iptables -j MARK, prio and filter being used together but have yet to come up with any good ones. If I get this to work your welcome to use it in the FAQ :-) Alex www.bennee.com/~alex/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/