RE: Can't keep up with all these file sharing programs!

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You could try a completely different approach:

First, set up an iptables rule that redirects anything outbound that's port 80 or 20 or 21 to, say, squid or some other proxy server.  Then block  **everything**  else going out.

So for the outbound web stuff, get one of the commercial filtering packages and put that on top of the proxy server redirected above.  That will do the layer 7 filtering within the context of outbound web access and will block inappropriate sites.  This will also solve your Kazaah du jor problem cuz nothing will go out except legit web and ftp stuff.

Just a thought - facing similar issues myself.  I don't think you can fight this problem with low level traffic shaping.

- Greg Scott



-----Original Message-----
From: Jason Tackaberry [mailto:tack@auc.ca]
Sent: Wednesday, October 09, 2002 8:55 PM
To: lartc@mailman.ds9a.nl
Subject:  Can't keep up with all these file sharing programs!


Hi everyone,

I'm using HTB to shape traffic for students in our residences.  We're an
extremely small college (about 50 Internet users in our residences) and
we don't have a good deal of bandwidth to work with, so I must do what I
can to make what we do have tolerable to our students.

I am right now using the following approach: I have allotted a portion
of our total bandwidth (R) to the residence subnet on the upstream
interface on our router.  This class is sub-divided into two classes: a
p2p class for all those pesky file sharing programs, which has a ceiling
of about R/2, and an "everything else" class, which has a guaranteed
rate of R/2, and a ceililng of R.  I have put SYN and ACK packets in a
separate class (under root) to improve responsiveness.

In theory, this scheme works pretty good.  The problem is that every day
some of these p2p programs are using different ports, and they manage to
suck up all available downstream bandwidth.  So, the student who wants
to send their friend a file over ICQ is going to get starved by every
other student running Kazaa-du-jour.

Now it would be _really_ nice if there was some ability to examine
packets at layer 7 to determine what class a particular session belongs
in (like, for instance, the way Packeteer's Packet Shaper works).  I'm
assuming I can't get this functionality (unless I write it myself), so
can someone suggest a remedy to my problem?  Is there some magic
adjustment I can make?  Or, perhaps I should try a different approach,
and give each IP a guaranteed rate?  The only drawback I see with this
is that with 50 users, I could only guarantee each user 5kbps. :)

Any guidance would be appreciated.

Best,
Jason.

-- 
Jason Tackaberry  ::  tack@auc.ca  :: 705-949-2301 x330 
Academic Computing Support Specialist
Information Technology Services
Algoma University College  ::  www.auc.ca


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux