From owner-freebsd-questions@FreeBSD.ORG Wed Apr 27 03:08:18 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFD2516A4CE for ; Wed, 27 Apr 2005 03:08:18 +0000 (GMT) Received: from sockeye.firmanix.com (sockeye.firmanix.com [216.127.139.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62DED43D1F for ; Wed, 27 Apr 2005 03:08:18 +0000 (GMT) (envelope-from andy@firman.us) Received: from andy by sockeye.firmanix.com with local (Exim 4.44 (FreeBSD)) id 1DQcuU-000Abw-6C; Tue, 26 Apr 2005 23:08:22 -0400 Date: Tue, 26 Apr 2005 23:08:22 -0400 From: Andy Firman To: freebsd-questions@freebsd.org Message-ID: <20050427030822.GA40660@sockeye.firmanix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i cc: andy@firman.us Subject: any problems using dummynet as a module? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Andy Firman List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2005 03:08:18 -0000 I need to traffic shape a remote box that runs IPF, and I have taken the time to learn to use IPFW with dummynet, and also that I can run IPFW wide open as IPF is the firewall. The box is 5.4 stable (generic) and I can't get around doing a reboot, from all the testing I have done. Must reboot unfortunately. Loading the ipfw.ko and/or the dummynet.ko with kldload locks me out of an identical test box which is bad news for me. This box is in a colo center with just one ethernet interface. So my procedure works, but I am wondering if I should just suck it up and compile all this stuff into the kernel, or if my procedure below is somewhat safe? (it works, but I am looking for any hidden issues?) ======================================================== 1. Add this to /boot/loader.conf dummynet_load="YES" 2. Add this to rc.conf: firewall_enable="YES" firewall_quiet="YES" firewall_logging="YES" firewall_script="/etc/ipfw.rules" 3. Edit /etc/ipfw.rules with these entries: ------------------------------------------------ ipfw -q -f flush ipfw -q add 100 pass all from any to any via lo0 ipfw -q add 200 deny all from any to 127.0.0.0/8 ipfw -q add 300 deny ip from 127.0.0.0/8 to any ipfw -q add 65000 pass all from any to any ipfw -q add 1 pipe 1 ip from any to any out xmit ed0 ipfw -q pipe 1 config bw 128kbits/s ------------------------------------------------- REBOOT ...and the rate limiting works and I can also change the speed on the fly which is a good thing.... ======================================================== Thanks for any comments!