[CentOS] which firewall to automatically block bandwidth abusers?

Thu Aug 18 19:29:55 UTC 2011
Les Mikesell <lesmikesell at gmail.com>

On 8/18/2011 2:15 PM, Rudi Ahlers wrote:
> On Thu, Aug 18, 2011 at 9:09 PM, Always Learning<centos at u61.u22.net>  wrote:
>>
>> On Thu, 2011-08-18 at 21:01 +0200, Rudi Ahlers wrote:
>>
>>> I need to automatically block any user who abuses bandwidth, either
>>> incoming or outgoing. I should be able to set the limits, in either
>>> rate/s or usage/s: 1Mb/s or 10GB/h, for example.
>>
>> First question is:
>>
>> (a) how can you get the IP address ?
>
> I don't fully understand your question?
> How do you get any IP address from any machine that connects to a
> server on the internet? netstat shows the IP's,

You said 'user' which may or may not map to a consistent, single, IP 
address.

> /var/log/http/access.log shows the IP's and I'm sure it's listed in
> other places as well.

Are these web browser clients, locally attached PCs, or what?

> We currently use ntop to monitor the server's usage, but there's no
> way to automatically block an abusive IP.

What's 'abusive'?  If they are using a web app, let the app monitor the 
connection of a logged in user and handle them appropriately.

>
> Ideally I would like to get a dedicated firewall, or dedicated Linux /
> UNIX firewall appliance for this purpose as it needs to monitor and
> protect a whole bunch of servers

A separate box won't know what is going on.  Suppose you have a remote 
mail server relaying in or out for a large number of users.  The 
intermediate box will see a lot of smtp traffic to/from one IP, but it 
will correspond to a lot of users.  Likewise for web users behind a 
company proxy.

-- 
   Les Mikesell
    lesmikesell at gmail.com