# Limiting Bandwith per shell user ?



## bryn1u (Jul 6, 2017)

Hello,

Im looking for some solutions about limiting bandwith per user. For example, i have a server with user called joker. Joker has a shell access and use rutorrent. I dont want to let him download more then 100 KB/s. How can i limit him. Doesn't matter if it is pf or ipfw. Which is better for that purpose ? And obviously is if it even possible ?

Thanks guys, i would be gratefull for some advice.


----------



## SirDice (Jul 6, 2017)

Neither firewall is user-aware. You can't tell by looking at a network packet who the user was that sent it, that information is simply not there.


----------



## leebrown66 (Jul 6, 2017)

ipfw(8) seems to be able:


> RULE OPTIONS (MATCH PATTERNS)
> :
> uid user
> Match all TCP or UDP packets sent by or received for a user.  A
> user may be matched by name or identification number.


Similarly for group, so I suppose you could build a pipe for each user and filter based on their uid.


----------



## bryn1u (Jul 6, 2017)

leebrown66 said:


> ipfw(8) seems to be able:
> 
> Similarly for group, so I suppose you could build a pipe for each user and filter based on their uid.


Oooo thanks. I will try !


----------



## ShelLuser (Jul 6, 2017)

I don't want to be limited 

More seriously though: that UID function is not going to work. Reading that that same manual page you'll see that it only applies: "_When the packet can be associated with a local socket._". When a user runs ping then all which will be known is the ICMP packet.


----------



## Eric A. Borisch (Jul 7, 2017)

It depends on how the protocol works (and I don't know for torrents) but pf certainly can process by user for certain types of connections. See the user and group filteropts in pf.conf(5) and give it a shot.

If the protocol consists of TCP or UDP connections established from a process owned by the user, then this will likely work. Note this would clearly not work if you were trying to limit at a firewall/router that is not the system with the process & uid originating the connection. This also won't work for, for example, an incoming SSH connection, as the listening port is owned by root, but it will work for an outgoing SSH connection, where the process creating the connection is owned by the user.


----------



## Eric A. Borisch (Jul 7, 2017)

Another option would be to have a jail the user connects into, and shape the BW available to the jail (via PF on the host system, for example.) Haven't tried this myself, but I think it will work.


----------



## sko (Jul 7, 2017)

Eric A. Borisch said:


> Another option would be to have a jail the user connects into, and shape the BW available to the jail (via PF on the host system, for example.) Haven't tried this myself, but I think it will work.



This was the first thing that came to mind when I read the original question. Well, mainly because I wouldn't want any user to play around directly on *my* system, so I'd put everyone into jail just for my own peace of mind. As a side effect, if you assign different IP to every user/jail, you can easily filter or shape traffic directly on the firewall/gateway based on the IP. This way you have a single point of configuration for traffic control instead of multiple hosts with unique configurations that need to be massaged...

Thanks to PF macros/tables you can assign meaningful names to the IPs to keep the rules nicely readable and group various users/jails together e.g. to put your typical whiners (like PHBs) on a slightly higher priority queue.


----------



## leebrown66 (Jul 9, 2017)

ShelLuser said:


> I don't want to be limited
> 
> More seriously though: that UID function is not going to work. Reading that that same manual page you'll see that it only applies: "_When the packet can be associated with a local socket._". When a user runs ping then all which will be known is the ICMP packet.


There is also the lookup rule with uid (but not gid) which is agnostic of protocol:


> lookup {dst-ip | dst-port | src-ip | src-port | uid | jail} name


You just need to stuff a table with the UID's you want to work with.  I suppose each entry could have it's pipe number associated with the UID in the table.


----------



## bryn1u (Jul 18, 2017)

I just got the answer from hosting shell admin. IPFW can limit per user ! The problem was in 2014 when ipfw made deadblocks.


----------

