classify scp and ssh

Email lists > OpenBSD Miscellaneous topics

Thread: classify scp and ssh

Search this list only Search all lists
classify scp and ssh
	2007-07-08 00:55:13
Is there a way using pf to distinguish between ssh shell logins, and scp file transfers? -- -Lawrence

Re: classify scp and ssh
Australia	2007-07-08 03:42:38
On Sat, 7 Jul 2007, Lawrence Horvath wrote: > Is there a way using pf to distinguish between ssh shell logins, and > scp file transfers? Not easily: ssh sets IPTOS_THROUGHPUT for non-interactive sessions, but does it after the TCP handshake. If you are assigning connections to queues statefully, this is too late, as the state would have already been created with the default TOS. -d

Re: classify scp and ssh
	2007-07-08 04:19:38
On 08/07/07, Damien Miller <djmmindrot.org> wrote: > On Sat, 7 Jul 2007, Lawrence Horvath wrote: > > > Is there a way using pf to distinguish between ssh shell logins, and > > scp file transfers? > > Not easily: ssh sets IPTOS_THROUGHPUT for non-interactive sessions, > but does it after the TCP handshake. If you are assigning connections > to queues statefully, this is too late, as the state would have already > been created with the default TOS. I've seen PF successfully put ssh traffic in appropriate queues with stateful filtering. I've also seen at least one ISP clearing ToS flags on traffic passing through them. There are some examples in http://ww w.openbsd.org/faq/pf/queueing.html and of course in pf.conf(5) > -d > > -- viq

Re: classify scp and ssh
Australia	2007-07-08 04:51:36
Damien Miller wrote: > On Sat, 7 Jul 2007, Lawrence Horvath wrote: > >> Is there a way using pf to distinguish between ssh shell logins, and >> scp file transfers? > > Not easily: ssh sets IPTOS_THROUGHPUT for non-interactive sessions, > but does it after the TCP handshake. If you are assigning connections > to queues statefully, this is too late, as the state would have already > been created with the default TOS. You can use nc(1) as an ssh proxycommand and set the TOS to whatever you want, but it doesn't help for the normal case. Host somehost ProxyCommand nc -T lowdelay %h %p Host somehost-xfer Hostname somehost ProxyCommand nc -T throughput %h %p -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.

Re: classify scp and ssh
	2007-07-08 05:15:29
* Damien Miller <djmmindrot.org> [2007-07-08 10:49]: > On Sat, 7 Jul 2007, Lawrence Horvath wrote: > > > Is there a way using pf to distinguish between ssh shell logins, and > > scp file transfers? > > Not easily: ssh sets IPTOS_THROUGHPUT for non-interactive sessions, > but does it after the TCP handshake. If you are assigning connections > to queues statefully, this is too late, as the state would have already > been created with the default TOS. but that is what the two seperate queue assignments per state are for... Packets can be assigned to queues based on filter rules by using the queue keyword. Normally only one queue is specified; when a second one is specified it will instead be used for packets which have a TOS of lowdelay and for TCP ACKs with no data payload. but I amsure you can read pf.conf.5 on your own machine -- Henning Brauer, hbbsws.de, henningopenbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

[1-5]

about | contact Other archives ( Real Estate discussion Medical topics )