Bandwidth limits
This page describes how to do use Dantes
bandwidth module to control client bandwidth usage at the
SOCKS server.
The official BSD licensed distribution of Dante includes a SOCKS
server with all functionality required to interact with SOCKS
clients. Some additional functionality is however offered
as modules that can be purchased
separately. The bandwidth module controls bandwidth
usage.
Bandwidth limitation is configured in the
socks pass statements in the server configuration file. As
a result, they can be used in combination with other keywords that
are available in these rules, including source and destination
addresses, protocols, and authentication information such as user
and group identities. Typical usage scenarios include limiting the
resources available to different users or services.
Bandwidth limitation
The bandwidth keyword is used to specify the upper limit
on bandwidth in bytes per second. This keyword is added
in socks pass rules, in order to impose an upper limit on
bandwidth for all matching communication.
Port (service) based limitation
#limit the bandwidth of ongoing HTTP connections
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0 port http
command: connect
log: error # connect disconnect iooperation
bandwidth: 102400 #100kbps
}
#generic pass statement for the other sessions, with no bandwidth limit.
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: bind connect udpassociate
log: error # connect disconnect iooperation
}
The example above shows how bandwidth of HTTP traffic can be
limited. The rule uses the port number to classify sessions as
being HTTP sessions; connections to HTTP servers running on
different ports will not be included or limited. Conversely,
clients that use HTTP port for other purposes will similarly be
classified as using HTTP.
The second socks pass statement matches all other
sessions, ensuring that no limitations are placed on other
services.
socks pass {
from: 0.0.0.0/0 to: 10.0.0.2/32
command: bindreply udpreply
bandwidth: 10240 #10kbps
}
To limit traffic over connections made to a bound port, a limit can
be placed on the bindreply and udpreply
commands. In the example above, all traffic going to the internal
machine 10.0.0.2, via ports bound with bind
or udpassociate, will be rate limited. Note that a
separate rule will be needed to limit traffic going in the opposite
direction, from 10.0.0.2 to external machines.
User based limitation
#limit the number of sessions from a group of users.
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: bind connect udpassociate
log: error # connect disconnect iooperation
group: badusers
socksmethod: authmethod
bandwidth: 102400 #100kbps
}
#generic pass statement - bind/outgoing traffic
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: bind connect udpassociate
log: error # connect disconnect iooperation
bandwidth: 1024000 #1mbps
socksmethod: authmethod
}
The user and group keywords can be used along
with authentication to limit bandwidth for specific sets of users.
The second pass statement allows a higher limit for all other
users.
|