I use CrashPlan as a backup service. It works and is very simple to set up, but has limited options for controlling bandwidth. In fact, if you're running it on a headless system (e.g., a fileserver of some sort), your options are effectively "too slow" and "CONSUME EVERYTHING". There is an open request to add time-based limitations to the application itself, but for now I've solved this using a very simple traffic shaping configuration. Because the learning curve for "tc" and friends is surprisingly high, I'm putting my script here in the hopes that other people might find it useful, and so that I can find it when I need to do this again someday.


# The network device used for backups

# The remove address of the CrashPlanserver

# The port

# The rate limit. See tc(8) for acceptable syntax.

if [ "$1" = "enable" ]; then
    # This creates and activates the traffic shaper
    # configuration.
    logger -s -t ratelimit -p user.notice "enabling rate limits"
    tc qdisc del dev $dev root > /dev/null 2>&1
    tc qdisc add dev $dev root handle 1: htb
    tc class add dev $dev parent 1: classid 1:10 htb rate $crashplan_limit
    tc filter add dev $dev parent 1: prio 0 protocol ip handle 10 fw flowid 1:10
    iptables -t mangle -A OUTPUT -d $crashplan_addr -p tcp --dport $crashplan_port -j MARK --set-mark 10
elif [ "$1" = "disable" ]; then
    # This removes the traffic shaper
    # configuration.
    logger -s -t ratelimit -p user.notice "disabling rate limits"
    tc qdisc del dev $dev root > /dev/null 2>&1
    iptables -t mangle -D OUTPUT -d $crashplan_addr -p tcp --dport $crashplan_port -j MARK --set-mark 10
elif [ "$1" = "show" ]; then
    # Shows the current traffic shaper configuration.
    tc qdisc show dev $dev
    tc class show dev $dev
    tc filter show dev $dev
    iptables -t mangle -vnL OUTPUT

Patch to gPXE dhcp command

Thu 22 July 2010 by Lars Kellogg-Stedman Tags gpxe linux dhcp

Update: This patch has been accepted into gPXE.

I just released a patch to gPXE that modifies the dhcp command so that it can iterate over multiple interfaces. The stock dhcp command only accepts a single interface as an argument, which can be a problem if you are trying to …

read more

Blocking VNC with iptables

VNC clients use the RFB protocol to provide virtual display capabilities. The RFB protocol, as implemented by most clients, provides very poor authentication options. While passwords are not actually sent "in the clear", it is possible to brute force them based on information available on the wire. The RFB 3 …

read more

Linux UPnP Gateway

Fri 29 January 2010 by Lars Kellogg-Stedman Tags networking peertopeer linux upnp

Like many other folks out there, I have several computers in my house connected to the outside world via a Linux box acting as a NAT gateway. I often want to use application such as BitTorrent and Freenet, which require that a number of ports be forwarded from my external …

read more