Date: Tue, 28 Mar 2006 17:00:31 -0300 From: Patrick Tracanelli <eksffa@freebsdbrasil.com.br> To: ipfw@freebsd.org Subject: Re: Single machine traffic shaping Message-ID: <442995DF.7060809@freebsdbrasil.com.br> In-Reply-To: <20060328164150.C52489@trex.centroin.com.br> References: <20060328164150.C52489@trex.centroin.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
> I.e: Is this correct, when trying to limit any single host to use > just 128kbps/s when connecting to my sendmail? > > ipfw add 00100 pipe 10 tcp from any 25 to any in > ipfw add 00105 pipe 20 tcp from any to any dst-port 25 out > > ipfw pipe 10 config mask src-ip 0xffffffff bw 128kbits/s > ipfw pipe 20 config mask dst-ip 0xffffffff bw 128kbits/s Yes it will work as expected, try to get used to define 0x000000ff as mask for single hosts to avoid tunelling per network by any mistake. > Also, should those "add pipe" come before any other rule in the ipfw > configuration? It depends on "how" you are working your firewall. If it is the default behaviour, when the sequential processing matches the pipe rule it will be assumed as an allowed packet (as an "allow" rule). It is not true if you have your sysctl MIB net.inet.ip.fw.one_pass=0, where after piped on dummynet the packet is still sequentially proccessed, so it needs a rule to match the an "allow" decision. With this in mind where you will put the rule depends if you need extra SMTP filtering before or after limiting bandwidth. -- Patrick Tracanelli FreeBSD Brasil LTDA. (31) 3281-9633 / 3281-3547 316601@sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?442995DF.7060809>