ZenInternet

(re Zen) Well done.  That makes three wikizens using them.  They do seem to be surprisingly competent.  My only minor grips is that their mail servers are less capable than they might be, and they require dhcp even when they allocate you a static IP.  But they allocate you the static IP in the first place, which more than makes up for it.  --Vitenka

Five I think - Garbled, Vitenka, Crazyscot and (Emperor and Senji).

Emperor and Senji haven't been for almost a year now, unfortunately.

And thus the CompSci was [enlightened]. --Requiem

Does it correlate to periods of you maxing out your upstream bandwidth? Don't trust bittorrent's bandwidth report, it can lie by as much as 20% because it averages, and it's peak usage that matters here; use something like ntop to chart what's happening. If so, then it's BT - that's their way of capping it. I ranted on ToothyWikiInternals/ToothycatDowntime about it a while back, I think. - MoonShadow

Not running torrents at all - it happens whilst just web browsing.  And it's not just rate capping - the terminal adapter loses link entirely and starts flashing funny lights until it recovers.  --Vitenka

That's precisely it - BT will rate-cap upstream bandwidth on your connection by physically dropping the link. They handle downstream bandwidth sanely, but for some reason not upstream. Which will cause flashing lights, etc. At least, they do with us. Check your network traffic with a sniffer to rule it out. - MoonShadow

That's... insane!  Argh.  I can't rate limit - I've got the win98 box connected directly to the hub, and anyway I don't know HOW to.  ARGH.  --Vitenka

Ok, </whine>  I guess I need to set up my bsd box as a NAT router and traffic shaper (which is itself already behind a NAT router - one advantage of this is that my windows box can have the IP that the outside world thinks it has, which bypasses a whole host of apps collecting the wrong IP) - but does anyone know how to do this?  --Vitenka

(PeterTaylor) If you have iptables then NAT is quite easy - there's a Linux HOWTO on it. I've no experience of traffic shaping, though.

From previous experience (Where is it.. TechSupport/SwitchToLinux? maybe?) there are hundreds of incomprehensible HOWTO's, none of which actually match the tools which are currently in use.  Still, back to the CuttingFace?...  --Vitenka (Has anyone actually done this for themselves, and can get to IRC?  Luckily I now have three computers, so can probably try this and chat at the same time)

(PeterTaylor) I've done NAT with iptables, but that was on friar, and I don't run NAT on charis. I can boot friar tomorrow morning and shove my config file online if that would help.

What I really need is just a good long talk with someone who understands what some of this stuff means.  I want to do something which is incredibly simple, but the docs are incredibly opaque.  Which means we must be using different concepts, and I need a translator.  --Vitenka (Well, that or everyone who uses this stuff is a lunatic)

I gave up on trying to configure iptables - it wasn't worth the time I was spending on it. I now routinely tell bittorrent to limit upload bandwidth to 1kbps - the downloads still max out my pipe, so *shrug*. Then again, toothycat.net does have a particularly *weird* firewall setup - the simple stuff seemed to work when I tried it, it just all fell over when I introduced a DMZ and SNAT for the servers. I was using [this] tutorial at the time, but since I'm not even up to installing it here, I don't think I'm really qualified to help with a remote install - sorry.. - MoonShadow

Um.  I know what NAT is, is SNAT a typo, or is it something else?  And what is DMZ anyway?  --Vitenka

[Not a typo]. DMZ == demilitarized zone. Basically, a network physically isolated from both the internet and the internal network, where the serves live (so a compromised server doesn't compromise the internal network). I want packets that have been routed out of there to the internet to be made to look like they're coming from the static IP addresses assigned to me (which in reality all map to interfaces on the firewall) according to certain rules; this allows me to completely hide the internal network configuration from the outside world, handle different services on different machines etc. - MoonShadow

How does that differ from NAT?  --Vitenka

It's a subset of it :) What usually appears to be meant by "NAT", and what most tutorials show you how to do, is rewriting all packets from one network to make them look like they're all coming from a single IP address on another network, dynamically assigning ports etc. and twiddling packets coming back so that bidirectional connections work; for connection sharing or whatever. NAT is actually much more than that. What *I* need to be able to do is give rules of the form "make packets coming from this port on this machine look like they're coming from this port on this IP address, and route packets received on this port back to that machine" for an arbitrary number of machines, ports and IP addresses. ipchains currently does this admirably in my configuration; my brain broke when I tried to get iptables to do the same thing, and I decided not to fiddle any more since ipchains worked ^^; IME hardware routers etc. that say they do NAT usually handle the former well, but not the latter. - MoonShadow

Hmmm.  Mine has a 'DMZ' setting, but it was incomprehensible to me.  Thanks for clearing it up for me - this is part of what I was meaning by different terminology.  Setting up a seperate page at Vitenka/FirewallRules?.  --Vitenka