Single machine traffic shaping
Marcelo Souza
mpsouza at centroin.com.br
Wed Mar 29 16:09:01 UTC 2006
Patrick,
Thank you!
- Marcelo Souza
On Tue, 28 Mar 2006, Patrick Tracanelli wrote:
|> I.e: Is this correct, when trying to limit any single host to use just
|> 128kbps/s when connecting to my sendmail?
|>
|> ipfw add 00100 pipe 10 tcp from any 25 to any in
|> ipfw add 00105 pipe 20 tcp from any to any dst-port 25 out
|>
|> ipfw pipe 10 config mask src-ip 0xffffffff bw 128kbits/s
|> ipfw pipe 20 config mask dst-ip 0xffffffff bw 128kbits/s
|
|Yes it will work as expected, try to get used to define 0x000000ff as mask for
|single hosts to avoid tunelling per network by any mistake.
|
|> Also, should those "add pipe" come before any other rule in the ipfw
|> configuration?
|
|It depends on "how" you are working your firewall. If it is the default
|behaviour, when the sequential processing matches the pipe rule it will be
|assumed as an allowed packet (as an "allow" rule). It is not true if you have
|your sysctl MIB net.inet.ip.fw.one_pass=0, where after piped on dummynet the
|packet is still sequentially proccessed, so it needs a rule to match the an
|"allow" decision.
|
|With this in mind where you will put the rule depends if you need extra SMTP
|filtering before or after limiting bandwidth.
|
|--
|Patrick Tracanelli
|
|FreeBSD Brasil LTDA.
|(31) 3281-9633 / 3281-3547
|316601 at sip.freebsdbrasil.com.br
|http://www.freebsdbrasil.com.br
|"Long live Hanin Elias, Kim Deal!"
|
|_______________________________________________
|freebsd-ipfw at freebsd.org mailing list
|http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
|To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
|
- Marcelo
More information about the freebsd-ipfw
mailing list