linux firewalling

[Warren Togami]

Linux 2.2 kernel has a traffic shaping device, allowing you to make virtual
network interfaces (i.e. /dev/shaper0) and set a rate limit.  However, this
feature is very limited in that you can only specify upstream bandwidth
limits (last I looked), and an entire program must be told to use that
network interface.

Linux 2.4 kernel replaced ipchains with iptables (Netfilter), and there is
much more elegant traffic shaping and rate throttling available within the
chains themselves.  You can create chains and sub-chains to give fine
grained rate limits on a per-protocol, per-host or per-subnet basis.  You
can also use QoS and the (old) traffic shaper device for more flexibility.
Kernel 2.4 also has stateful inspection, bringing the routing/firewall code
to par with BSD ipfilter.  On Mid-Pac campus we will use this Netfilter rate
limiting to dedicate bandwidth to our e-mail servers, in order to be sure
that campus e-mail is always available (a must) even during heavy network
usage.

Here is a really nice configuration tool for Netfilter.  One of their
screenshots near the middle shows an example of sub-chains and rate limiting
on a specific protocol.
http://users.pandora.be/stes/ipmenu.html

Warren Togami
warren at togami.com
MPLUG Community Support Forums
http://forum.mplug.org

----- Original Message -----
From: "Robert Buecker" <rbuecker at darkscape.net>
To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
Sent: Saturday, April 14, 2001 10:44 AM
Subject: [luau] linux firewalling


> Does anyone know if ipchains has any rate limiting capabilities similar to
> freebsd ipfw?  I haven't really been able to find anything similar. And if
> not, do you know if ipfw source is floating around out there somewhere
that
> can be compiled for linux?
>
> -- Robert
>
>
> ---
> You are currently subscribed to luau as: warren at togami.com
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>