dante   Frontpage - Dante - Download - Status - Support - Modules - Docs - Links - Survey
 

Bandwidth limits

This page describes how to do use Dantes bandwidth module to control client bandwidth usage at the SOCKS server.

The official BSD licensed distribution of Dante includes a SOCKS server with all functionality required to interact with SOCKS clients. Some additional functionality is however offered as modules that can be purchased separately. The bandwidth module controls bandwidth usage.

Bandwidth limitation is configured in the socks pass statements in the server configuration file. As a result, they can be used in combination with other keywords that are available in these rules, including source and destination addresses, protocols, and authentication information such as user and group identities. Typical usage scenarios include limiting the resources available to different users or services.

Bandwidth limitation

The bandwidth keyword is used to specify the upper limit on bandwidth in bytes per second. This keyword is added in socks pass rules, in order to impose an upper limit on bandwidth for all matching communication.

Port (service) based limitation

#limit the bandwidth of ongoing HTTP connections
socks pass {  
        from: 0.0.0.0/0 to: 0.0.0.0/0 port http
        command: connect
        log: error # connect disconnect iooperation
	bandwidth: 102400 #100kbps
}

#generic pass statement for the other sessions, with no bandwidth limit.
socks pass {  
        from: 0.0.0.0/0 to: 0.0.0.0/0
	command: bind connect udpassociate
        log: error # connect disconnect iooperation
}

The example above shows how bandwidth of HTTP traffic can be limited. The rule uses the port number to classify sessions as being HTTP sessions; connections to HTTP servers running on different ports will not be included or limited. Conversely, clients that use HTTP port for other purposes will similarly be classified as using HTTP.

The second socks pass statement matches all other sessions, ensuring that no limitations are placed on other services.

socks pass {
   from: 0.0.0.0/0 to: 10.0.0.2/32
   command: bindreply udpreply
   bandwidth: 10240 #10kbps
}

To limit traffic over connections made to a bound port, a limit can be placed on the bindreply and udpreply commands. In the example above, all traffic going to the internal machine 10.0.0.2, via ports bound with bind or udpassociate, will be rate limited. Note that a separate rule will be needed to limit traffic going in the opposite direction, from 10.0.0.2 to external machines.

User based limitation

#limit the number of sessions from a group of users.
socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bind connect udpassociate
        log: error # connect disconnect iooperation
	group: badusers
	socksmethod: authmethod
        bandwidth: 102400 #100kbps
}

#generic pass statement - bind/outgoing traffic
socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bind connect udpassociate
        log: error # connect disconnect iooperation
        bandwidth: 1024000 #1mbps
	socksmethod: authmethod
}

The user and group keywords can be used along with authentication to limit bandwidth for specific sets of users. The second pass statement allows a higher limit for all other users.


Copyright © 1998-2017 Inferno Nettverk A/S