I am trying to rate limit a particular user/ip''s news traffic and have added the line ACCEPT loc:10.5.75.253 net tcp 119 - - 1/sec:2 While this has slowed down the traffic, it has not throttled it to the point I would like. Yet with a sniffer I can see around 15 packets a second going thru. My T1 is close to saturation, and I would like to slow the news connection down to a trickle. I am using shorewall 2.0.13 Any pointers would be appreciated. ________________________________________ Steve Postma Systems Administrator 781-994-1200 spostma@travizon.com <mailto:spostma@travizon.com> Travizon, Inc. | Working to Bring People Together http://www.travizon.com <http://www.travizon.com/>
Steve Postma wrote:> I am trying to rate limit a particular user/ip''s news traffic and have > added the line > > > > ACCEPT loc:10.5.75.253 net tcp 119 - > - 1/sec:2 > > While this has slowed down the traffic, it has not throttled it to the > point I would like. > > Yet with a sniffer I can see around 15 packets a second going thru.Packets != New connections. Shorewall rate limiting throttles new connections, not packets. Perhaps you should investigate a traffic shaping solution -- that''s a better way to attack this problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Steve Postma wrote: > >>I am trying to rate limit a particular user/ip''s news traffic and have >>added the line >> >> >> >>ACCEPT loc:10.5.75.253 net tcp 119 - >>- 1/sec:2 >> >> While this has slowed down the traffic, it has not throttled it to the >>point I would like. >> >>Yet with a sniffer I can see around 15 packets a second going thru. > > > Packets != New connections. > > Shorewall rate limiting throttles new connections, not packets.Besides, if your loc->net policy is ACCEPT or if there is a later Usenet ACCEPT rule then the above rule has absolutely no effect at all. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key