Re: [LARTC] New member

[ph4ke <deff@sadomain.co.za>]

Hi Edmund 

OK, sorry 'bout that. 

Say for example that I have a webserver and I only want that thing to push 
512kbit out. The only way that I see that I would be able to limit this kind 
of outbound traffic with the tc classifier is if I knew which ip's will be 
visiting web-pages.  If this was the situation I would be able to have a long 
list of rules that all look something like 
	.. u32 match ip src xxx.xxx.xxx.xx flowid 1:1 
or something 

Unfortunately there is about a few million possible ipv4 addresses that can 
access the box if they really felt like it. 

This could problem could possibly be solved by having a rule like this : 

	.. u32 match ip sport 80 match ip src (webserver) flowid whatever

But the real problem lies in limiting ftp, since ftp (at least the way i 
thought it works. could be wrong. probably am) 
just does the whole auth section on sport 20/21 and 
the data transfer actually take place on a random 1024+ source port 
and a random 1024+ destination port. 

This would be perfectly solved with iptables marking because one 
should be able to do something like 
	
--append PREROUTING -m state --state ESTABLISHED, RELATED --jump MARK 
--set mark 1   { please excuse the line wrapping } 

thanks a lot for your time 
cilliè 


On Monday 03 November 2003 10:35, you wrote:
> Cillie,
> I might be missing something here, but I do use this filter setup for
> limiting outbound http and ftp traffic.
>
>
> Regards
> edmund


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/