From owner-freebsd-questions Fri Jan 4 2:19:43 2002 Delivered-To: freebsd-questions@freebsd.org Received: from hermes.epita.fr (hermes.epita.fr [163.5.255.10]) by hub.freebsd.org (Postfix) with ESMTP id 0C00D37B41B for ; Fri, 4 Jan 2002 02:19:40 -0800 (PST) Received: from kenny (kenny [10.42.14.16]) by hermes.epita.fr id g04AJUR20759 for freebsd-questions@freebsd.org EPITA Paris France Fri, 4 Jan 2002 11:19:31 +0100 (MET) Date: Fri, 4 Jan 2002 11:19:30 +0100 From: luc wastiaux To: freebsd-questions@freebsd.org Subject: dummynet and NAT redirection Message-ID: <20020104111930.A23320@kenny.epita.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I have a webserver behind a NAT/firewall box, and I would like to restrict upstream bandwidth used by this webserver. I have a kernel configured with ipfw and dummynet. What is unclear to me is where do I insert the pipe rule? I know very little about networks in general and all my attempts were unsuccessful Here is my ruleset, where would be the correct place to insert the pipe rule ? # Firewall rules # Written by Marc Silver (marcs@draenor.org) # http://draenor.org/ipfw # Freely distributable # Define the firewall command (as in /etc/rc.firewall) for easy # reference. Helps to make it easier to read. fwcmd="/sbin/ipfw" # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via tun0 # Allow all data from my network card and localhost. Make sure you # change your network card (mine was fxp0) before you reboot. :) $fwcmd add allow ip from any to any via lo0 $fwcmd add allow ip from any to any via ed0 $fwcmd add allow ip from any to any via ed1 # Allow all connections that I initiate. $fwcmd add allow tcp from any to any out xmit tun0 setup # Once connections are made, allow them to stay open. $fwcmd add allow tcp from any to any via tun0 established #keep state rules are needed for online games $fwcmd add allow tcp from any to any via tun0 out keep-state $fwcmd add allow udp from any to any via tun0 out keep-state $fwcmd add allow tcp from any to any 1024-65000 via tun0 in keep-state $fwcmd add allow udp from any to any 1024-65000 via tun0 in keep-state # Everyone on the internet is allowed to connect to the following # services on the machine. This example specifically allows connections # to ssh and apache and sendmail. $fwcmd add allow tcp from any to any 22 setup $fwcmd add allow tcp from any to any 80 setup $fwcmd add allow tcp from any to any 25 setup # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to any 113 in recv tun0 # Allow outgoing DNS queries ONLY to the specified servers. $fwcmd add allow udp from any to 193.252.19.3 53 out xmit tun0 $fwcmd add allow udp from any to 193.252.19.4 53 out xmit tun0 # Allow them back in with the answers... :) $fwcmd add allow udp from 193.252.19.3 53 to any in recv tun0 $fwcmd add allow udp from 193.252.19.4 53 to any in recv tun0 # Allow ICMP (for ping and traceroute to work). You may wish to # disallow this, but I feel it suits my needs to keep them in. $fwcmd add allow icmp from any to any # Deny all the rest. $fwcmd add deny log ip from any to any thank you in advance. -- -luc | wastia_l@epita.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message