Subject: Re: FTPD: disallowing concurrent connections from same IP
To: John Maier <jmaier@midamerica.net>
From: Richard Rauch <rkr@olib.org>
List: netbsd-users
Date: 02/20/2003 09:01:03
Re. http://mail-index.netbsd.org/netbsd-users/2003/02/19/0024.html

I've been reading this thread and pondering.

It seems to me that what people really are hoping for is to roughly
divide bandwidth per user.  Failing that, they then want to make *two*
changes to this wish and call that a (semi) ideal solution: Limit
connections per IP.

In the very limited case (small, closed user population, anonymous FTP,
and a host that is acting somewhat unofficially and doesn't want to
impinge on the company network for a personal server), this is perhaps
an okay solution.

But, if something were to be added to the NetBSD ftpd to help with this,
I think that connections-per-IP isn't at all desirable.  Instead, it
might be better to give out shares of bandwidth to IP numbers.  This
has the following benefits over limiting connections: You *don't* blow
off users just because someone behind the same firewall (or on the same
remote host) is already using your server.  "Accelerators" can help
maximize the use of intervening connections.  Similarly, multiple
simultaneous downloads of seperate fiels can improve the use of the
connection.

Back in my dial-up days, I would often build multiple packages
concurrently to minimize the amount of time that my modem was idle
while something was building.  Due to the web of dependancies, this
often meant that each immediate target resulted in a chain of others
being built, so that it was not uncommon to see some of the build
processes concurrently downloading.  Sometimes even from the same
server.  My whole connection was throttled to dial-up speeds,
anyway, so this didn't let me get an "unfair" advantage over anyone.
It did let me make better use of my connection, though.

(Downloading over a dial-up often took approximately as long as
the rest of the build process on an 800MHz Athlon.  And both took
non-trivial time for most packages.  At one time I was sup'ping pkgsrc
fairly often and tracking it, so saving this time made a significant
difference in how high a percentage of the time my own comptuer was
"usable".)

I.e., I think that "shares per IP" is more generally useful than
"connections per IP" (and even for the special cases in that raised this
topic, it would work at least as well---maybe better).


An alternative for people who want to suppress "download accelerators"
is to just remove the "REST" command from your personal copies of ftpd.
I bet that, in your small, specialized group, you never actually had
a user who *needed* it, but only use it for their "accelerators".


Just my random thoughts.  (^&

-- 
  "I probably don't know what I'm talking about."  --rkr@olib.org