From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 7 14:23:34 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B891B106566C for ; Fri, 7 Mar 2008 14:23:34 +0000 (UTC) (envelope-from ady@ady.ro) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.174]) by mx1.freebsd.org (Postfix) with ESMTP id 931888FC21 for ; Fri, 7 Mar 2008 14:23:34 +0000 (UTC) (envelope-from ady@ady.ro) Received: by wf-out-1314.google.com with SMTP id 25so533767wfa.7 for ; Fri, 07 Mar 2008 06:23:34 -0800 (PST) Received: by 10.142.178.13 with SMTP id a13mr564464wff.129.1204899813685; Fri, 07 Mar 2008 06:23:33 -0800 (PST) Received: by 10.143.37.8 with HTTP; Fri, 7 Mar 2008 06:23:33 -0800 (PST) Message-ID: <78cb3d3f0803070623j516197fn41e33ad8219efa98@mail.gmail.com> Date: Fri, 7 Mar 2008 16:23:33 +0200 From: "Adrian Penisoara" Sender: ady@ady.ro To: "=?ISO-8859-1?Q?Anders_H=E4ggstr=F6m?=" In-Reply-To: <1a5a68400803070454s2622a5cenc6e37462528c51b@mail.gmail.com> MIME-Version: 1.0 References: <1a5a68400803070454s2622a5cenc6e37462528c51b@mail.gmail.com> X-Google-Sender-Auth: 8ade84e1b2bd0bb6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: Dummynet/ipfw-rules to limit bandwidth based on IP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2008 14:23:34 -0000 Hi, On Fri, Mar 7, 2008 at 2:54 PM, Anders H=E4ggstr=F6m < hagge.lists@intercorner.net> wrote: > Hello list! > > I have tried to solve this configuration-issue for a time now but > without success, so I'm asking if anyone can help me with an > example-ruleset or point me to some good documentation that describe > this type of setup. > > My scenario is a webserver at 10MBit/s with httpd-service, ftp-serivce > and ssh-service and I want to limit the bandwidth to 1MBit/s inbound > and 1MBit/s outbound per IP-address that is connected no matter what > service/port they use and no matter how many connections that IP has > occupied so that one visitor/user does not eat up all my bandwidth if > he/she has more bandwidth availible than my server. That's exactly what is the ipfw pipe/queue + mask syntax for. The mask parameter will allow filtering based on various specifiers like dst-ip, src-ip, dst-port, src-port, proto, etc. Check the ipfw(8) manual page. > > > An example is that "user1" connects to three different websites hosted > on my webserver and download one relese-image (large file, outbound) > and "user2" is uploading a file by ftp to the server (large file, > inbound) and "user3" is downloading a large file by ftp (outbound) and > at the same time uploading another large file by scp/ssh (inbound). In > my scenario the three users will load my server with a maximum of > 1Mbit/s each per direction. In this example a total of 2MBit/s inbound > and a total of 2MBit/s outbound even if some of the users have > 100MBit/s availible at there ISP. > I guess the following should do the job: ipfw add pipe 1 from any to me in ipfw add pipe 2 from me to any out ipfw pipe 1 config mask src-ip 0xffffffff bw 1Mbit/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1Mbit/s A pretty similar example is found even in ipfw(8) -- it's always best to check the manual at the Examples section :). A more complicated setup would have been to get a fixed bandwidth limit for the entire traffic and force the users to fairly share the bandwidth betwee= n themselves (with the same per-IP masking). That would require connecting dynamic (masked) queues to a single pipe. Regards, Adrian Penisoara ROFUG / EnterpriseBSD