You could try a completely different approach: First, set up an iptables rule that redirects anything outbound that's port 80 or 20 or 21 to, say, squid or some other proxy server. Then block **everything** else going out. So for the outbound web stuff, get one of the commercial filtering packages and put that on top of the proxy server redirected above. That will do the layer 7 filtering within the context of outbound web access and will block inappropriate sites. This will also solve your Kazaah du jor problem cuz nothing will go out except legit web and ftp stuff. Just a thought - facing similar issues myself. I don't think you can fight this problem with low level traffic shaping. - Greg Scott -----Original Message----- From: Jason Tackaberry [mailto:tack@auc.ca] Sent: Wednesday, October 09, 2002 8:55 PM To: lartc@mailman.ds9a.nl Subject: Can't keep up with all these file sharing programs! Hi everyone, I'm using HTB to shape traffic for students in our residences. We're an extremely small college (about 50 Internet users in our residences) and we don't have a good deal of bandwidth to work with, so I must do what I can to make what we do have tolerable to our students. I am right now using the following approach: I have allotted a portion of our total bandwidth (R) to the residence subnet on the upstream interface on our router. This class is sub-divided into two classes: a p2p class for all those pesky file sharing programs, which has a ceiling of about R/2, and an "everything else" class, which has a guaranteed rate of R/2, and a ceililng of R. I have put SYN and ACK packets in a separate class (under root) to improve responsiveness. In theory, this scheme works pretty good. The problem is that every day some of these p2p programs are using different ports, and they manage to suck up all available downstream bandwidth. So, the student who wants to send their friend a file over ICQ is going to get starved by every other student running Kazaa-du-jour. Now it would be _really_ nice if there was some ability to examine packets at layer 7 to determine what class a particular session belongs in (like, for instance, the way Packeteer's Packet Shaper works). I'm assuming I can't get this functionality (unless I write it myself), so can someone suggest a remedy to my problem? Is there some magic adjustment I can make? Or, perhaps I should try a different approach, and give each IP a guaranteed rate? The only drawback I see with this is that with 50 users, I could only guarantee each user 5kbps. :) Any guidance would be appreciated. Best, Jason. -- Jason Tackaberry :: tack@auc.ca :: 705-949-2301 x330 Academic Computing Support Specialist Information Technology Services Algoma University College :: www.auc.ca _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
