gateway/firewall script

Jonathan Feally vulture at netvulture.com
Wed Oct 22 20:29:15 PDT 2003 

Your problem lies in that you are counting the traffic twice in the 
queue/pipe - once from the internal addr to the dst, and once from the 
external addr to the dst. Change your rules to specify which IP Block 
should get the bw limiting.
I don't know if the keep-state thing is throwing it out of whack or not.


Aleksandar Simonovski wrote:

>this is my script, works just fine, it's purpose is to allow just www,ftp and dns requests
>but i get only 6KB/s transfer with config bw 128Kbit/s, and 3KB/s with 64Kbit/s and so on
>and it should be 16KB/s with 128Kbit/s and 8KB/s with 64Kbit/s and do on so is this right or
>i'am missing something?
>
>any comments on the script would be fine
>
>INTINF = rl1
>EXTINF = rl0
>
># natd is running
>natd -n rl0
>
>#!/bin/sh
>-f flush
>add 1000 divert 8668 ip from any to any via rl0
>add 1200 allow ip from any to any via lo0
>add 1300 deny ip from any to 127.0.0.1/8
>add 1400 deny ip from 127.0.0.1/8 to any
>add 1500 check-state
>add 1550 allow icmp from any to any keep-state
>add 1600 allow log udp from any to any 53 keep-state out
>add 1610 allow log udp from any to any 53 keep-state in
>#add 1620 allow log udp from any 53 to any keep-state in
>add 1700 queue 1 log tcp from any to any 20,21 keep-state out
>add 1800 queue 2 log tcp from any 20,21 to any keep-state in
>add 2000 queue 3 log tcp from any to any 80 keep-state out
>add 2010 queue 4 log tcp from any to any 80 keep-state in
>#add 2020 queue 5 log tcp from any 80 to any keep-state in
>add 2100 deny log ip from any to any
>queue 1 config weight 5 pipe 1 mask all
>queue 2 config weight 5 pipe 2 mask all
>queue 3 config weight 5 pipe 3 mask all
>queue 4 config weight 5 pipe 4 mask all
>queue 5 config weight 5 pipe 5 mask all
>pipe 1 config bw 128Kbit/s
>pipe 2 config bw 128Kbit/s
>pipe 3 config bw 128Kbit/s
>pipe 4 config bw 128Kbit/s
>pipe 5 config bw 128Kbit/s
>
>Cheers,
>Aleksandar
>_______________________________________________
>freebsd-net at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-net
>To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>  
>

More information about the freebsd-net mailing list