|
NAMEowampd.limits - One-way latency server policy configuration fileDESCRIPTIONThe owampd.limits file is used to define the policy configuration for the owampd program. It allows the system administrator to allocate the resources in a variety of ways.There are two parts to the policy configuration:
The authentication is done by assigning a limitclass to each new connection as it comes in. Each limitclass has a set of limits associated with it. The limitclasses are hierarchical, so a connection must pass the limit restrictions of the given limitclass as well as all parent classes. Within the owampd.limits file, assign lines are used to assign a limitclass to a given connection. limit lines are used to define a limitclass and set the limits associated with that limitclass. The file is read sequentially, and it is not permitted to use a limitclass before it is defined using a limit line. The format of this file is:
CONFIGURATION OPTIONS
limit limitclassname with
limtype=value[,limtype=value]*
limitclassname defines the name of the class with the given limits. Whitespace is used as a separator but is otherwise ignored. limitclassname may be used as a directory name component within owampd, so take care not to use characters that would be invalid. (i.e. '*' or '/' would be particularly bad.) limtype and value indicate the particular type of limit and value to apply to this limitclass. The available settings for limtype are:
assign authtype [args]
limitclassname
authtype identifies the type of authentication being used. Whitespace is used as a separator but is otherwise ignored. limitclassname must have been previously defined with the limit directive earlier in the file. The available settings for authtype are:
There must be no set bits in the non-masked portion of the address part of the subnet specification. i.e., 192.168.1.1/24 would be an invalid subnet due to the bit set in the fourth octet.
AUTHENTICATION PROCESSowampd determines if it should allow a connection from the client based upon the authentication mode of the request and the source IP address of the connection. If the client connection is in authenticated or encrypted mode, the daemon does not do any filtering based upon the source address of the connection. (See the -A option to owping and the authmode option in owampd.conf.) In these modes owampd simply uses the identity of the connection to determine the limitclass limits. If the connection is made in open mode, then owampd first uses the source address to determine if owampd should allow an open mode connection from that subnet at all. (This is the purpose of the allow_open_mode limtype described above.) If open mode is allowed from this subnet, then the limitclass is determined by the closest subnet match defined by the assign net lines in the owampd.limits file.EXAMPLESAn initial limit line might look like:limit root with \
This would create a limitclass named root. Because no parent is specified, this must be the first limitclass defined in the file. This limitclass has very liberal limits (900m limit on bandwidth, and 2 GB of disk space). However, open mode authentication is not enabled for this limitclass, so the connections that get these limits must successfully authenticate using an AES key derived from the pass-phrase in the owampd.pfs file. If an administrator also wants to create a limitclass that is used to deny all requests, they might add: limit jail with \
This would create a limitclass named jail. Because the limits for bandwidth and disk are so low, virtually all tests will be denied. allow_open_mode is off, so initial connections that are not in authenticated or encrypted mode will be dropped immediately. (It would not make much sense to assign a user identity to this limitclass. If you don't want connections from a particular user identity the best thing to do is to remove that user from the owampd.pfs file.) If the administrator wanted to allow a limited amount of open tests, they could define a limitclass like: limit open with \
This could be used to allow testing by random connections. It limits those tests to 10 kilobits of bandwidth and 10 Mbytes of buffer space. Now, these three limitclasses might be assigned to specific connections in the following ways: # default open
# badguys subnet
# network admins
This set of assign lines specifically denies access from any open mode connection from the badguys subnet. It specifically allows access to authenticated or encrypted mode transactions that can authenticate as the identities joe jim or bob (even from the badguys subnet). All other connections would match the assign default rule and get the limits associated with the open limitclass. SEE ALSOowping(1), owampd(8), owampd.limits(5), owampd.pfs(5), aespasswd(1), and the http://e2epi.internet2.edu/owamp/ web site.ACKNOWLEDGMENTSThis material is based in part on work supported by the National Science Foundation (NSF) under Grant No. ANI-0314723. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF.
Visit the GSP FreeBSD Man Page Interface. |