From owner-freebsd-ipfw@FreeBSD.ORG  Fri Oct 21 01:51:55 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 375B916A41F
	for <freebsd-ipfw@freebsd.org>; Fri, 21 Oct 2005 01:51:55 +0000 (GMT)
	(envelope-from daemon@foxchat.net)
Received: from foxsurfer.com (dns1.foxsurfer.com [205.134.229.66])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D90D043D64
	for <freebsd-ipfw@freebsd.org>; Fri, 21 Oct 2005 01:51:54 +0000 (GMT)
	(envelope-from daemon@foxchat.net)
Received: from [24.172.9.74] (zapper@rrcs-24-172-9-74.midsouth.biz.rr.com
	[24.172.9.74])
	by foxsurfer.com (8.13.3/8.13.3) with ESMTP id j9L1plns079023
	for <freebsd-ipfw@freebsd.org>; Thu, 20 Oct 2005 18:51:48 -0700 (PDT)
	(envelope-from daemon@foxchat.net)
Message-ID: <435849B9.8040509@foxchat.net>
Date: Thu, 20 Oct 2005 21:51:53 -0400
From: Daemon <daemon@foxchat.net>
User-Agent: Mozilla Thunderbird 1.0.7 (X11/20050930)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-ipfw@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-5.3 required=9.5 tests=ALL_TRUSTED,BAYES_20 
	autolearn=failed version=3.0.4
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on FoxSurfer.Com
Subject: ipfw firewall help
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2005 01:51:55 -0000

I'm trying to build a firewall from scratch using man ipfw and what I
can find on the net.  I'm doing bandwidth shaping and I'm not quite sure
where it goes as far as rule numbers.  From what I can see, it matters
and I'd like to do it right.  I'm using an OPEN firewall with NATD
because I'm on cable broadband with a static IP.  Here is what I have.

00010   52   2446 pipe 1 ip from 172.16.140.0/24 to any xmit re0
00020    0      0 pipe 2 ip from any to 172.16.140.0/24 recv re0
00050  274  24955 divert 8668 ip from any to any via re0
00100   50   5642 allow ip from any to any via lo0
00200    0      0 deny ip from any to 127.0.0.0/8
00300    0      0 deny ip from 127.0.0.0/8 to any
65535 4658 547779 allow ip from any to any

The actual rule set for the bandwidth shaping is:

# Traffic Shaping.
# oif="re0"			# ${oif} Public Interface.
# iif="re1"			# ${iif} Internal nic.
# iip="172.16.140.0/24"		# ${iip}

${fwcmd} add 10 pipe 1 all from ${iip} to any xmit ${oif}
${fwcmd} pipe 1 config mask src-ip 0xffffff00 bw 35Kbits/s queue 40Kbytes

${fwcmd} add 20 pipe 2 all from any to ${iip} recv ${oif}
${fwcmd} pipe 2 config mask dst-ip 0xffffff00 bw 4000Kbits/s queue 40Kbytes

I've found lots of stuff on "how" to set it up but I can't seem to find
anything on where the rules go.  Any help would be greatly appreciated.

Regards,

Mark