From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 28 20:02:19 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C4C516A401 for ; Tue, 28 Mar 2006 20:02:19 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id C3D3F43D75 for ; Tue, 28 Mar 2006 20:00:54 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 11515 invoked by uid 0); 28 Mar 2006 17:00:37 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(201.17.152.115):. Processed in 1.74878 secs); 28 Mar 2006 20:00:37 -0000 Received: from unknown (HELO ?10.69.69.69?) (201.17.152.115) by capeta.freebsdbrasil.com.br with SMTP; 28 Mar 2006 17:00:35 -0300 Message-ID: <442995DF.7060809@freebsdbrasil.com.br> Date: Tue, 28 Mar 2006 17:00:31 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051013 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw@freebsd.org References: <20060328164150.C52489@trex.centroin.com.br> In-Reply-To: <20060328164150.C52489@trex.centroin.com.br> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Single machine traffic shaping X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2006 20:02:19 -0000 > I.e: Is this correct, when trying to limit any single host to use > just 128kbps/s when connecting to my sendmail? > > ipfw add 00100 pipe 10 tcp from any 25 to any in > ipfw add 00105 pipe 20 tcp from any to any dst-port 25 out > > ipfw pipe 10 config mask src-ip 0xffffffff bw 128kbits/s > ipfw pipe 20 config mask dst-ip 0xffffffff bw 128kbits/s Yes it will work as expected, try to get used to define 0x000000ff as mask for single hosts to avoid tunelling per network by any mistake. > Also, should those "add pipe" come before any other rule in the ipfw > configuration? It depends on "how" you are working your firewall. If it is the default behaviour, when the sequential processing matches the pipe rule it will be assumed as an allowed packet (as an "allow" rule). It is not true if you have your sysctl MIB net.inet.ip.fw.one_pass=0, where after piped on dummynet the packet is still sequentially proccessed, so it needs a rule to match the an "allow" decision. With this in mind where you will put the rule depends if you need extra SMTP filtering before or after limiting bandwidth. -- Patrick Tracanelli FreeBSD Brasil LTDA. (31) 3281-9633 / 3281-3547 316601@sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!"