Shorewall users - Feb 2005 - Rate limiting

I am trying to rate limit a particular user/ip''s news traffic and have
added the line 

 

ACCEPT          loc:10.5.75.253           net     tcp     119     -
-       1/sec:2

 While this has slowed down the traffic, it has not throttled it to the
point I would like. 

Yet with a sniffer I can see around 15 packets a second going thru. My
T1 is close to saturation, and I would like to slow the news connection
down to a trickle.

I am using shorewall  2.0.13 

Any pointers would be appreciated.

 

                             ________________________________________ 

Steve Postma
Systems Administrator

781-994-1200  
spostma@travizon.com <mailto:spostma@travizon.com> 

Travizon, Inc.  |  Working to Bring People Together 
http://www.travizon.com <http://www.travizon.com/>

Steve Postma wrote:
> I am trying to rate limit a particular user/ip''s news traffic and
have
> added the line 
> 
>  
> 
> ACCEPT          loc:10.5.75.253           net     tcp     119     -
> -       1/sec:2
> 
>  While this has slowed down the traffic, it has not throttled it to the
> point I would like. 
> 
> Yet with a sniffer I can see around 15 packets a second going thru.
Packets != New connections.

Shorewall rate limiting throttles new connections, not packets.

Perhaps you should investigate a traffic shaping solution -- that''s a
better way to attack this problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> Steve Postma wrote:
> 
>>I am trying to rate limit a particular user/ip''s news traffic
and have
>>added the line 
>>
>> 
>>
>>ACCEPT          loc:10.5.75.253           net     tcp     119     -
>>-       1/sec:2
>>
>> While this has slowed down the traffic, it has not throttled it to the
>>point I would like. 
>>
>>Yet with a sniffer I can see around 15 packets a second going thru.
> 
> 
> Packets != New connections.
> 
> Shorewall rate limiting throttles new connections, not packets.
Besides, if your loc->net policy is ACCEPT or if there is a later Usenet
ACCEPT rule then the above rule has absolutely no effect at all.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key