From owner-freebsd-ipfw Sun Dec 17 23:48:36 2000 From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 17 23:48:31 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from osku.suutari.iki.fi (osku.syncrontech.com [213.28.98.4]) by hub.freebsd.org (Postfix) with ESMTP id CBDB337B400; Sun, 17 Dec 2000 23:48:29 -0800 (PST) Received: from coffee (adsl-nat.syncrontech.com [213.28.98.3]) by osku.suutari.iki.fi (8.9.3/8.9.3) with SMTP id JAA05093; Mon, 18 Dec 2000 09:47:28 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <011801c068c6$c585d6b0$0e05a8c0@intranet.syncrontech.com> From: "Ari Suutari" To: "Cy Schubert - ITSD Open Systems Group" Cc: , References: <200012161125.eBGBPkP05378@cwsys.cwsent.com> Subject: Re: IPFW & IPsec tunnel mode Date: Mon, 18 Dec 2000 09:47:28 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I read them. But I think that the final solution cannot be 'well we will have a hole like this always since it cannot be fixed'. I wasn't saying that I want a network interface device like 'tun', I just wanted something similar that could be used with ipfw to more accurately specify filters. why couldn't we have something like: (imagine that a new option -n has been addded to setkey's spdadd) setkey -c << ZZZ spdadd xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy any -n my-tunnel-1 -P in ipsec esp/tunnel/aaa-bbb/requre; ZZZ and then (imagine that new keyword via-ipsec-tunnel has been added to ipfw) ipfw pass ip from any to any via-ipsec-tunnel my-tunnel-1 I think that this would just be, well, GREAT! It would allow very easy creation of VPNs with simple rules and without any holes. Ari S. ----- Original Message ----- From: "Cy Schubert - ITSD Open Systems Group" To: "Ari Suutari" Cc: ; Sent: 16. joulukuuta 2000 13:24 Subject: Re: IPFW & IPsec tunnel mode > In message <001301c0601e$34cab880$0e05a8c0@intranet.syncrontech.com>, > "Ari Suut > ari" writes: > > However, pipsecd only supports fixed keys and Kame seems more > > like the future way to go. Would it be possible to enhance ipfw & kame > > to work together better in same way (like having some kind of name for > > each tunnel and allowing ipfw rule to use them in similar way as > > 'via' is used with interfaces) ? > > Check the -security archives. This was just discussed about a month > ago. In that thread a KAME developer explained why it cannot be > accomplished. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Dec 18 6: 1:37 2000 From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 18 06:01:35 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from distortion.dk (distortion.dk [195.249.147.156]) by hub.freebsd.org (Postfix) with ESMTP id 6934C37B400 for ; Mon, 18 Dec 2000 06:01:31 -0800 (PST) Received: from petri2000 ([194.192.131.98]) by distortion.dk (8.9.3/8.9.1) with SMTP id PAA04735 for ; Mon, 18 Dec 2000 15:09:23 +0100 (CET) (envelope-from nicolai@petri.cc) Message-ID: <00bb01c068fa$7fbc3f50$8632a8c0@atomic.dk> From: "Nicolai Petri" To: Subject: Bandwith limitation (Is it possible to...) Date: Mon, 18 Dec 2000 14:57:44 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi All, I've a quick question about bandwith-limitation. If I have a 100Mbit ethernet link to a 34Mbit internet provider and I want to limit some services bandwith to (1Mbit + remaining free bandwith). Is that possible ? --- Nicolai Petri To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Dec 18 9: 5:53 2000 From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 18 09:05:51 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from distortion.dk (distortion.dk [195.249.147.156]) by hub.freebsd.org (Postfix) with ESMTP id 4B96437B400 for ; Mon, 18 Dec 2000 09:05:50 -0800 (PST) Received: from petri2000 ([194.192.131.98]) by distortion.dk (8.9.3/8.9.1) with SMTP id SAA07532; Mon, 18 Dec 2000 18:13:40 +0100 (CET) (envelope-from nicolai@petri.cc) Message-ID: <014101c06914$3ef79810$8632a8c0@atomic.dk> From: "Nicolai Petri" To: "Chris Given" Cc: References: <20BE73C28363D4118F5000500468CB4E040642@EXCHANGE> Subject: Re: Bandwith limitation (Is it possible to...) Date: Mon, 18 Dec 2000 18:02:03 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Why would you ever want to do that? That would be the same as no bandwidth > limit Not exactly. I wish to allow almost unlimited http access to everyone but limit the amount of news/ftp traffic used. But it would be fair to allow possible free bandwith to be used for those who run news/ftp. --- Nicolai To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Dec 18 9:24:40 2000 From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 18 09:24:36 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 0DDDA37B402 for ; Mon, 18 Dec 2000 09:24:35 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id eBIHNvZ58950; Mon, 18 Dec 2000 09:23:57 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200012181723.eBIHNvZ58950@iguana.aciri.org> Subject: Re: Bandwith limitation (Is it possible to...) In-Reply-To: <014101c06914$3ef79810$8632a8c0@atomic.dk> from Nicolai Petri at "Dec 18, 2000 6: 2: 3 pm" To: nicolai@petri.cc (Nicolai Petri) Date: Mon, 18 Dec 2000 09:23:57 -0800 (PST) Cc: term@rmci.net, freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: rizzo@iguana.aciri.org Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > > Why would you ever want to do that? That would be the same as no bandwidth > > limit > > Not exactly. I wish to allow almost unlimited http access to everyone but > limit the amount of news/ftp traffic used. But it would be fair to allow > possible free bandwith to be used for those who run news/ftp. you can use the WF2Q+ feature in dummynet in 4.2 and CURRENT. See http://www.iet.unipi.it/~luigi/ip_dummynet/ for more detailed instructions. The way to act would be to pass news/ftp traffic through a queue with low weight (say 1..5) and the rest of the traffic through a queue with a weight which is 20 times larger. Then you link the queues to a pipe with a bw of 25-30 Mbit (to account for packet headers overhead). cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (510) 666 2927 ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message