Date: Fri, 7 Mar 2008 16:23:33 +0200 From: "Adrian Penisoara" <ady@freebsd.ady.ro> To: "=?ISO-8859-1?Q?Anders_H=E4ggstr=F6m?=" <hagge.lists@intercorner.net> Cc: freebsd-ipfw@freebsd.org Subject: Re: Dummynet/ipfw-rules to limit bandwidth based on IP Message-ID: <78cb3d3f0803070623j516197fn41e33ad8219efa98@mail.gmail.com> In-Reply-To: <1a5a68400803070454s2622a5cenc6e37462528c51b@mail.gmail.com> References: <1a5a68400803070454s2622a5cenc6e37462528c51b@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Fri, Mar 7, 2008 at 2:54 PM, Anders H=E4ggstr=F6m < hagge.lists@intercorner.net> wrote: > Hello list! > > I have tried to solve this configuration-issue for a time now but > without success, so I'm asking if anyone can help me with an > example-ruleset or point me to some good documentation that describe > this type of setup. > > My scenario is a webserver at 10MBit/s with httpd-service, ftp-serivce > and ssh-service and I want to limit the bandwidth to 1MBit/s inbound > and 1MBit/s outbound per IP-address that is connected no matter what > service/port they use and no matter how many connections that IP has > occupied so that one visitor/user does not eat up all my bandwidth if > he/she has more bandwidth availible than my server. That's exactly what is the ipfw pipe/queue + mask syntax for. The mask parameter will allow filtering based on various specifiers like dst-ip, src-ip, dst-port, src-port, proto, etc. Check the ipfw(8) manual page. > > > An example is that "user1" connects to three different websites hosted > on my webserver and download one relese-image (large file, outbound) > and "user2" is uploading a file by ftp to the server (large file, > inbound) and "user3" is downloading a large file by ftp (outbound) and > at the same time uploading another large file by scp/ssh (inbound). In > my scenario the three users will load my server with a maximum of > 1Mbit/s each per direction. In this example a total of 2MBit/s inbound > and a total of 2MBit/s outbound even if some of the users have > 100MBit/s availible at there ISP. > I guess the following should do the job: ipfw add pipe 1 from any to me in ipfw add pipe 2 from me to any out ipfw pipe 1 config mask src-ip 0xffffffff bw 1Mbit/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1Mbit/s A pretty similar example is found even in ipfw(8) -- it's always best to check the manual at the Examples section :). A more complicated setup would have been to get a fixed bandwidth limit for the entire traffic and force the users to fairly share the bandwidth betwee= n themselves (with the same per-IP masking). That would require connecting dynamic (masked) queues to a single pipe. Regards, Adrian Penisoara ROFUG / EnterpriseBSD
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?78cb3d3f0803070623j516197fn41e33ad8219efa98>