pf and dummynet
Kristof Provost
kp at freebsd.org
Mon Jul 29 17:51:43 UTC 2019
> On 2019-07-29 18:44:00 (+0100), Paul Webster via freebsd-pf <freebsd-pf at freebsd.org> wrote:
> >
> > Sent from Mail for Windows 10
> >
> > From: mike tancsa
> > Sent: 29 July 2019 17:06
> > To: freebsd-pf at freebsd.org
> > Subject: pf and dummynet
> >
> > I have a box I need to shape inbound and outbound traffic. It seems altq
> > can only shape outbound packets and not limit inbound ? If thats the
> > case, what is the current state of mixing ipfw, dummynet and pf ?
> > Writing large complex firewall rules works better from a readability POV
> > (for us anyways) so I really prefer to use it. But I need to prevent zfs
> > replication eating up BW over some WAN links, and dummynet seems to
> > "just work"
> >
> > For ipfw I have
> >
> >
> > 00010 6640359 9959147882 pipe 1 tcp from 192.168.128.0/20 to any
> > 01000 3486901 228480912 allow ip from any to any
> >
> > and then checking my pf.conf rules, it seems to block and pass traffic
> > as expected.
> >
> > Is there anything I should explicitly check ?
> >
> You can mix ipfw and pf, but beware of the order they are loaded (The
> first one loaded is inside the second one loaded) – it may be better
> in fact to compile them both in the kernel.
>
> You basically end up with: (pf)(ipfw)(system)(ipfw)(pf) – assuming pf
> was loaded first
Also beware of gotchas with things like IPv6 fragment handling or
route-to.
I do not consider mixing firewalls to be a supported configuration. If
it breaks you get to keep the pieces.
Regards,
Kristof
More information about the freebsd-pf
mailing list