From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 29 16:09:01 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CDD316A401 for ; Wed, 29 Mar 2006 16:09:01 +0000 (UTC) (envelope-from mpsouza@centroin.com.br) Received: from mdhost1.centroin.com.br (mail-gw1.centroin.com.br [200.225.63.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4771443D6D for ; Wed, 29 Mar 2006 16:08:56 +0000 (GMT) (envelope-from mpsouza@centroin.com.br) Received: from trex.centroin.com.br (trex.centroin.com.br [200.225.63.134]) by mdhost1.centroin.com.br (8.13.5/8.13.5/CIP SMTP HOST) with ESMTP id k2TG8pFW048971; Wed, 29 Mar 2006 13:08:51 -0300 (BRT) (envelope-from mpsouza@centroin.com.br) Date: Wed, 29 Mar 2006 13:09:13 -0300 (BRT) From: Marcelo Souza To: Patrick Tracanelli In-Reply-To: <442995DF.7060809@freebsdbrasil.com.br> Message-ID: <20060329130847.E4053@trex.centroin.com.br> References: <20060328164150.C52489@trex.centroin.com.br> <442995DF.7060809@freebsdbrasil.com.br> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Hits: 0 X-Scanned-By: MIMEDefang 2.56 on 200.225.63.205 Cc: ipfw@freebsd.org Subject: Re: Single machine traffic shaping X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Mar 2006 16:09:01 -0000 Patrick, Thank you! - Marcelo Souza On Tue, 28 Mar 2006, Patrick Tracanelli wrote: |> I.e: Is this correct, when trying to limit any single host to use just |> 128kbps/s when connecting to my sendmail? |> |> ipfw add 00100 pipe 10 tcp from any 25 to any in |> ipfw add 00105 pipe 20 tcp from any to any dst-port 25 out |> |> ipfw pipe 10 config mask src-ip 0xffffffff bw 128kbits/s |> ipfw pipe 20 config mask dst-ip 0xffffffff bw 128kbits/s | |Yes it will work as expected, try to get used to define 0x000000ff as mask for |single hosts to avoid tunelling per network by any mistake. | |> Also, should those "add pipe" come before any other rule in the ipfw |> configuration? | |It depends on "how" you are working your firewall. If it is the default |behaviour, when the sequential processing matches the pipe rule it will be |assumed as an allowed packet (as an "allow" rule). It is not true if you have |your sysctl MIB net.inet.ip.fw.one_pass=0, where after piped on dummynet the |packet is still sequentially proccessed, so it needs a rule to match the an |"allow" decision. | |With this in mind where you will put the rule depends if you need extra SMTP |filtering before or after limiting bandwidth. | |-- |Patrick Tracanelli | |FreeBSD Brasil LTDA. |(31) 3281-9633 / 3281-3547 |316601@sip.freebsdbrasil.com.br |http://www.freebsdbrasil.com.br |"Long live Hanin Elias, Kim Deal!" | |_______________________________________________ |freebsd-ipfw@freebsd.org mailing list |http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw |To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" | - Marcelo