Subject: Re: FTPD: disallowing concurrent connections from same IP
To: Jim Breton <jamesb-netbsd@alongtheway.com>
From: John Maier <jmaier@midamerica.net>
List: netbsd-users
Date: 02/20/2003 09:03:47
> How have you dealt with clients using passive mode?  i.e., they can
> connect to any of a number of high ports (which you may have narrowed with
> your ftpd configuration), did you put limits on each of those ports?  Or
> are you not allowing passive transfers?

Well first a big *Kudos* the Alpha port guys for making such a sold NetBSD
port!
I'm doing this all off my DEC Alphastation 3000/300 with 256M (150Mhz).

this simplified version of my altq.conf:
#--------------------------------------------------------------------------
class cbq le0 tcp root pbandwidth 15 default  #<<< Catch all ports not
explicitly defined.
 filter le0 tcp 0 0 0 0 6 # other tcp traffic
# filter le0 tcp 0 0 0 20 6 # ftp-data (non-pasv) caught by default
#--------------------------------------------------------------------------
class cbq le0 ftp root borrow pbandwidth 5 red
 filter le0 ftp 0 0 0 21 6 # ftp
#--------------------------------------------------------------------------
class cbq le0 other root borrow pbandwidth 69 red
 filter le0 other 0 0 0 80 6 # http
 filter le0 other 0 80 0 0 6 # http
 filter le0 other 0 23 0 0 6 # telnet
 filter le0 other 0 0 0 0 1 # icmp
 filter le0 other 0 0 0 0 17 # udp

The 'default' rule catches all tcp ports that are not explicitly defined in
the 'other' class.  So a passive connection port falls into the default
'tcp' class.

Let me stress, altq works (for me)!  I let it run all night and opened up
unlimited FTP connections...

Running MRTG/STG against my trusty Bay Networks Switch show a sustained rate
of 1.23 Mbits/sec, perfectly flat and 45 FTP connection (*several* duplicate
IPs..hehe).

So I did a "kill `cat /var/run/altqd.pid`" (note: /etc/rc.d/altqd
stop/restart DOES NOT WORK)
and instantly STG jumped to 6.4 Mbits/sec, then got the "WARNING: mclpool
limit reached; increase NMBCLUSTERS" message, it was great!  (I forgot to
add the options NMBCLUSTERS=2048 to kernel, oops!. a quick kernel path fix
it)
Interestingly, CPU utilization went from 80-90% idle to 30-40% idle.  ALTQ
actually helps on CPU utilization!

I stared altqd, an instant flat line at 1.23 Mbits/sec.

I have a rather good testing ground to work with here, with so many users
connecting.



John Maier - Administrator
Midamerica Internet Services
573-446-8881
http://www.midamerica.net
ICQ: 38643380 - Yahoo: toolboy1968 - MSN: jmaier_isg
/=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=\
/ Nothing great was ever achieved without
/ enthusiasm. --- Ralph Waldo Emerson
/=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=\