Hi Edmund
OK, sorry 'bout that.
Say for example that I have a webserver and I only want that thing to push
512kbit out. The only way that I see that I would be able to limit this kind
of outbound traffic with the tc classifier is if I knew which ip's will be
visiting web-pages. If this was the situation I would be able to have a long
list of rules that all look something like
.. u32 match ip src xxx.xxx.xxx.xx flowid 1:1
or something
Unfortunately there is about a few million possible ipv4 addresses that can
access the box if they really felt like it.
This could problem could possibly be solved by having a rule like this :
.. u32 match ip sport 80 match ip src (webserver) flowid whatever
But the real problem lies in limiting ftp, since ftp (at least the way i
thought it works. could be wrong. probably am)
just does the whole auth section on sport 20/21 and
the data transfer actually take place on a random 1024+ source port
and a random 1024+ destination port.
This would be perfectly solved with iptables marking because one
should be able to do something like
--append PREROUTING -m state --state ESTABLISHED, RELATED --jump MARK
--set mark 1 { please excuse the line wrapping }
thanks a lot for your time
cilliè
On Monday 03 November 2003 10:35, you wrote:
> Cillie,
> I might be missing something here, but I do use this filter setup for
> limiting outbound http and ftp traffic.
>
>
> Regards
> edmund
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
