Re: Openbsd firewall

["Travis Boucher" <tbone () tbone ca>]

I don't see why you couldn't limit it below 5.6Kb.  If you are running 
multiple honeypots, I'd suggest setting up a single queue with the total 
bandwidth you'll allow to all of the honeypots (20Kb for example), then use 
sub-queues for each target machine:

eg. (/etc/pf.conf)

# Start

hp_if=fxp2
hpa=192.168.0.1
hpb=192.168.0.2
hpb=192.168.0.3

altq on $hp_if cbq bandwidth 20Kb {hp_nomatch, qhpa, qhpb, qhba}
queue hp_nomatch bandwidth 1%
queue   qhpa bandwidth 5%
queue   qhpb bandwidth 5%
queue   qhpc bandwidth 5%

pass in from any to $hpa queue qhpa
pass in from any to $hpb queue qhpb
pass in from any to $hpc queue qhpc

# End

That should effectivly limit each honeypot to 1Kbps.  This is assuming you 
are using pf and altq for bandwidth limiting.  You could also use some 
userspace bandwidth throttling capable tools (openvpn comes to mind).

On Thu, 29 Jul 2004 15:55:17 -0500, joe smith wrote
> I currently testing an openbsd gateway/firewall for my honeypot 
> setup.  I'm limiting the amount of bandwidth for each honey pot. 
>  Does anyone know why I can not set it below 5.6 kilobits?
>
> Thanks
> J