Topic: Limit bandwidth for httpd

[Sören Steinmetz]

I've read and searched, and don't see how to do this:

I got my server as server-only,
my router is forwarding port 80 to the server,
internal I use the httpd as well.

Net 100 Mbit/s
dsl (via router) 1024Kbis down/ 512Kbit up

I want to limit the outgoing bandwidth on the dsl to
only use 256Kbit, keeping the remaining 256Kbit free for the workstations.

The bandwidth restriction should be made on httpd and ftpd on the server.

Is there a way to do that ?

[Jens Kruuse]

A good place to start:
http://www.e-smith.org/bboard//read.php?f=1&i=29717&t=17583&v=f

Also, look for rpms to cover some of the QoS/cbq stuff.

But you should *never* put a server meant for LAN use on the Internet. The firewall only protects the server on the external interface. Routing is not quite sufficient. If you don't care to use the squid etc. you can just set up the server to be a server/gateway and ignore the internal interface (NIC).

Btw, I used to do the same but was gently persuaded to switch by a Mitel tech during a security issue case (no, I was not hacked). The switch is done by going into the Admin interface on the console ... and switching the role. It is *that* simple.

/Jens

[Ed Form]

Jens Kruuse wrote:

> But you should *never* put a server meant for LAN use on the
> Internet. The firewall only protects the server on the
> external interface. Routing is not quite sufficient. If you
> don't care to use the squid etc. you can just set up the
> server to be a server/gateway and ignore the internal
> interface (NIC).
>
> Btw, I used to do the same but was gently persuaded to switch
> by a Mitel tech during a security issue case (no, I was not
> hacked). The switch is done by going into the Admin interface
> on the console ... and switching the role. It is *that*
> simple.

This seems to fly in the face of the advertised reason for the existence of SME.

Ed Form

[matt avila]

I have seen requests like this in the past and it was partially answered by using a package calle wondershaper. I let "friends and family" connect via ssh adn thet was sucking all the bandwidt up, so limiting upload was a necessity.

Wondershaper is configurable by ip address, port, and the like. Do a google on wondershaper and take a look.

regards

[Jens H. Kruuse]

>This seems to fly in the face of the advertised reason for the existence of SME.

>Ed Form

Which part? Using the server for external services only? You can certainly do that by ignoring the other services and have just the external NIC connected to anything. It is still a wonderful templated and secure web/ftp server. But limited, of course.

If you mean switching roles, reporting a security issue, or advising against using an insecure server on a public net, I don't know why you think Mitel would disagree with me.

/Jens

[Bill]

I run with bandwidth limiting. The way I did it was to install a IPcop firewall between the internet and the SME box. The latest IPcop beta has a good bandwidth managent feature that works quite well. You get full bandwidth on the local network and good interet access control and a first rate firewall to boot. Just forward the ports you need to the sme box.  Of course that means you need to run another computer with 2 nics.

[Ed Form]

Jens H. Kruuse wrote:
>
> >This seems to fly in the face of the advertised reason for
> the existence of SME.
>
> >Ed Form
>
> Which part? Using the server for external services only? You
> can certainly do that by ignoring the other services and have
> just the external NIC connected to anything. It is still a
> wonderful templated and secure web/ftp server. But limited,
> of course.

I meant that the original literature, and the user manuals, for SME represent it as a one-piece solution for a workgroup, able to provide file, print, mail, and web-server functionality, and having a solid and secure firewall between the world and the internal network. If this isn't true, rather a lot of folks are going to be disillusioned. If Mitel staff are privately suggesting that it isn't true, I'm amazed. If the many highly experienced folk who have defended SME's firewall as not needing to be beefed up with an external firewall system are wrong, I'm even more amazed.

Ed Form

[Nathan Fowler]

I use mod_bandwidth, works great for static content, however, it doesn't work on dynamic content.

[Jens Kruuse]

I see the confusion/misunderstanding here, Ed. My comment to Søren was directed at his "Server-only" use. *That* is not secured by an internal firewall!

For reference, see: http://www.e-smith.org/docs/papers/smeserver-security.html#role

"The SME Server can be configured in either of two modes of operation. In server-only mode, the SME Server operates as a standalone server on a local network and provides file and network services to all systems on that network. In server and gateway mode, the SME Server is configured with one network connection to the local network and a second connection to the Internet. In addition to providing file and network services to the local network, it also acts as a gateway allowing the entire local network to access the Internet."

Or http://edocs.mitel.com/6000_SME_Server/6000_MAS_rls5.6/Tech_Handbook_html_EN/operationmode.html#option3

"5.9.3. Option 3: Server-Only Mode

Server-only mode is appropriate if you do not wish to use the gateway capabilities of your server. In this configuration, the server does not connect directly to the outside world (although it may connect indirectly through your firewall or another server).

Warning: Because the server "trusts" the local network to be secure in server-only mode, it must be behind a firewall of some type."

Cheers,
Jens