Dynamic firewall based on bandwidth usage ?
|
View:
New views
9 Messages
—
Rating Filter:
Alert me
|
 |
Dynamic firewall based on bandwidth usage ?
by FM-4
::
Rate this Message:
Hello,
I have a common problem but cannot find a solution. My setup : all servers are Redhat Enterprise 4 CISCO PIX in front on a HTTP load Balancer/failover (called a director in the L.V.S. jargon) that sends requests to 4 web servers (cluster setup based on Linux Virtual Server include in redhat cluster suite). Now my prob :-) From time to time users download our site and block all http connexion, and worst, use all our bandwidth. So I have to block (or redirect) those network abusers after a download limit (for ex : 1Gb per day) for lets say 1day. Because of the director, I cannot use the apache2 mod_cband. My first though is to look at the iptables on the director but I cannot find any information about that kind of setup. Do you know if it is possible using build in linux tools(iptables ?). If not, do you know some hardware appliance that could do that ? Thanks ! |
|
|
Re: Dynamic firewall based on bandwidth usage ?
by Vladimir Mitiouchev-2
::
Rate this Message:
On 10/8/06, FM <dist-list@...> wrote:
> So I have to block (or redirect) those > network abusers after a download limit (for ex : 1Gb per day) > for lets say 1day. iptables -A INPUT -p tcp --dport 80 -m quota --quota 1073741824 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j DROP http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-3.html#ss3.13 RTFM, people.. -- Sincerely Yours, Vladimir Mitiouchev |
|
|
Re: Dynamic firewall based on bandwidth usage ?
by Vladimir Mitiouchev-2
::
Rate this Message:
On 10/10/06, Vladimir Mitiouchev <vovcia@...> wrote:
> iptables -A INPUT -p tcp --dport 80 -m quota --quota 1073741824 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j DROP Of course, find APPROPRIATE rule for Your firewall. nat/PREROUTING, or sth. THINK. And DO NOT ask how to RESET counter of quota match. RTFM, once again. It took me 1min of googling. -- Sincerely Yours, Vladimir Mitiouchev |
|
|
Re: Dynamic firewall based on bandwidth usage ?
by Nate Nord
::
Rate this Message:
The newest PIX O/S has QoS capability that would allow you to throttle
bandwidth based on protocol. I haven't deployed it yet but plan on testing soon... > Hello, > I have a common problem but cannot find a solution. > > My setup : > all servers are Redhat Enterprise 4 > CISCO PIX in front on a HTTP load Balancer/failover (called a director > in the L.V.S. jargon) that sends requests to 4 web servers (cluster > setup based on Linux Virtual Server include in redhat cluster suite). > > Now my prob :-) > > From time to time users download our site and block all http connexion, > and worst, use all our bandwidth. So I have to block (or redirect) those > network abusers after a download limit (for ex : 1Gb per day) for lets > say 1day. > > Because of the director, I cannot use the apache2 mod_cband. > > My first though is to look at the iptables on the director but I cannot > find any information about that kind of setup. > > Do you know if it is possible using build in linux tools(iptables ?). > > If not, do you know some hardware appliance that could do that ? > > Thanks ! > |
|
|
Re: Dynamic firewall based on bandwidth usage ?
by Uday K. MOORJANI
::
Rate this Message:
Hey FM,
We use Big IP F5 for all our load balancing requirements. But the best is Alteon equipements. They have a solution to your problem. -- Cordialement, Sincerely Yours, Uday K. MOORJANI Systems Technician ------------------- MEDIASERV.NET SARL 6,Tour Cécid Place de la Rénovation 97110 POINTE A PITRE GUADELOUPE (F.W.I) ------------------- 00(590)590571015 umoorjani@... |
|
|
|
|
|
Re: Dynamic firewall based on bandwidth usage ?
by Alain Degreffe
::
Rate this Message:
One idea could be using accouting on iptables and limit traffic by this way....
You shoul look inside patchomatic to see if there is any way to limit traffic by ip ( i think that a module exist for that but check it yoursel to be sure... ) ( netfilter.samba.org ) Alain > Hello, > I have a common problem but cannot find a solution. > > My setup : > all servers are Redhat Enterprise 4 > CISCO PIX in front on a HTTP load Balancer/failover (called a director > in the L.V.S. jargon) that sends requests to 4 web servers (cluster > setup based on Linux Virtual Server include in redhat cluster suite). > > Now my prob :-) > > From time to time users download our site and block all http connexion, > and worst, use all our bandwidth. So I have to block (or redirect) those > network abusers after a download limit (for ex : 1Gb per day) for lets > say 1day. > > Because of the director, I cannot use the apache2 mod_cband. > > My first though is to look at the iptables on the director but I cannot > find any information about that kind of setup. > > Do you know if it is possible using build in linux tools(iptables ?). > > If not, do you know some hardware appliance that could do that ? > > Thanks ! > |
|
|
Re: Dynamic firewall based on bandwidth usage ?
by Syv Ritch
::
Rate this Message:
On Sun, 08 Oct 2006 14:44:22 -0400
FM <dist-list@...> wrote: > Hello, > I have a common problem but cannot find a solution. > > My setup : > all servers are Redhat Enterprise 4 > CISCO PIX in front on a HTTP load Balancer/failover (called a > director in the L.V.S. jargon) that sends requests to 4 web servers > (cluster setup based on Linux Virtual Server include in redhat > cluster suite). > > Now my prob :-) > > From time to time users download our site and block all http > connexion, and worst, use all our bandwidth. So I have to block (or > redirect) those network abusers after a download limit (for ex : > 1Gb per day) for lets say 1day. > > Because of the director, I cannot use the apache2 mod_cband. > > My first though is to look at the iptables on the director but I > cannot find any information about that kind of setup. > > Do you know if it is possible using build in linux > tools(iptables ?). > > If not, do you know some hardware appliance that could do that ? Cisco does that. Depending on which PIX and which version of the PIX, you can do traffic shaping/policing based on a sliding window. Even a Cisco 1750 serie will do it. Then you can lower the quality of service to a level, that everybody else get priority over them. Hope this help -- Thanks http://www.911networks.com When the network has to work |
|
|
Re: Dynamic firewall based on bandwidth usage ?
by Peter Becker-2
::
Rate this Message:
>> So I have to block (or redirect) those
>> network abusers after a download limit (for ex : 1Gb per day) >> for lets say 1day. > iptables -A INPUT -p tcp --dport 80 -m quota --quota 1073741824 -j ACCEPT > iptables -A INPUT -p tcp --dport 80 -j DROP Hmmm... With the IPtables-quota how do you block this IP for a given time? And what does the 'leecher' prevent to change the IP address? When I scent that there could be a limit - I would disconnect my DSL and continue downloading with my new connected IP.?! But I also don't have a better idea... Kind Regards, Peter |
| Free Forum Powered by Nabble | Forum Help |
