ipfw, pipes, queues, weights and managing an Internet connection

Lubomir Georgiev 0shady0recs0 at gmail.com
Wed Jun 13 19:40:39 UTC 2007 

OK, so here's what I've ended up -> fxp0 is the external interface, the one
on which natd is bound to.


> 00001: 440.000 Kbit/s    0 ms  500 B 1 queues (1 buckets) droptail
>     mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
> Pkt/Byte Drp
>   0 tcp   85.187.141.213/24593      10.11.0.33/3132  16906 17390616  0
> 0 2394
> **
> **  I've limited the pipe to 440 Kbit/s for the testing purposes. There
> are no other pipes.*
>
> q00001: weight 99 pipe 1   50 sl. 1 queues (1 buckets) droptail
>     mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
> Pkt/Byte Drp
>   0 tcp       10.11.0.33/3132   85.187.141.213/24593 374713 26638167  0
> 0   0
> q00002: weight 75 pipe 1   50 sl. 1 queues (1 buckets) droptail
>     mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
> Pkt/Byte Drp
>   0 tcp   66.160.135.130/80       192.168.1.90/1228  2025  1825680  0
> 0   0
> q00003: weight 50 pipe 1   50 sl. 1 queues (1 buckets) droptail
>     mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
> Pkt/Byte Drp
>   0 tcp      64.12.90.22/80       192.168.1.90/1100  9081 10419914  0
> 0   0
>
>


And the ruleset -> I'll try to comment the lines the same way Mark did:



> 01900 queue 1 ip from any to any out proto tcp tcpflags ack iplen 0-80
> xmit fxp0
> 01905 queue 1 ip from any to any in proto tcp tcpflags ack iplen 0-80 recv
> fxp0
> * Following Mark's example I let the ACK's in the first queue.
> 01910 queue 1 ip from any to any out proto udp xmit fxp0
> 01911 queue 1 ip from any to any in proto udp recv fxp0
> * Again using Mark's example - this server for DNS requests
> 01915 queue 1 ip from any to any in proto icmp recv fxp0
> 01920 queue 1 ip from any to any out proto icmp xmit fxp0
> * You guessed it - the dreaded ping...
> 01950 queue 2 ip from 192.168.1.90 to not me
> 01960 queue 2 ip from not me to 192.168.1.90
> * 192.168.1.90 is a host which I want to have priority over everything
> else - except for the DNS, ACK and ping requests.
> 02000 queue 3 ip from any to any src-port 80 not layer2 via fxp0
> 02100 queue 3 ip from any to any dst-port 80 not layer2 via fxp0
> *  Here I give priority to the 80 port so that browsing should not feel
> that something is being downloaded and is trying to eat up the pipe.
> 65500 allow ip from any to any
> * And here falls everything else. The interesting part about this is that
> when I put that rule to fall in for ex. queue 4 /pipe 1, weight 1, least
> priority/ all the others seem to not work, judging by the ping times, so I
> just allowed it without setting a queue to it.
>


  I believe that the 65500 rule and the not working of others when assigned
a queue may be because I have no allow rule after the natd diver. The 1900
rule is the first one after the divert rule. I think that's the reason.

  Please people comment, share your thoughts and opinions - I feel that
there is some difference, but I do drastically feel when there is a torrent
in the background. Maybe I'm doing something wrong? If anyone has the time
and the desire to test this ruleset - IT WOULD BE INVALUABLE, cuz words can
only take you so far...

  To anyone who participates - a big thanks!

-- 
mEsS wItH tHe bEsT
dIE liKe tHe rESt

More information about the freebsd-ipfw mailing list