Date: Wed, 25 Feb 2004 08:42:00 -0600 From: Nathan Kinkade <nkinkade@ub.edu.bz> To: "Hugo (6s-gaming.com)" <admin@6s-gaming.com> Cc: freebsd-questions@FreeBSD.org Subject: [with additional question] Re: ipfw//dummynet question Message-ID: <20040225144200.GC11671@nkinkade.bmp.ub> In-Reply-To: <17699.212.113.164.104.1077688050.squirrel@mail.6s-gaming.com> References: <17699.212.113.164.104.1077688050.squirrel@mail.6s-gaming.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--ZljC5FVPx7rxDQQ8 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 25, 2004 at 06:47:30AM +0100, Hugo (6s-gaming.com) wrote: > Hi list, >=20 > Say I want to limit the bandwidth from all inside my lan to the outside. > I'd create the pipes and make 2 rules to pipe any traffic (in&out). My > question is, would creating these 2 rules make all traffic be promptly > accepted, or would they be accepted or blocked based on the rest of the > ruleset? If they're accepted upon the pipe rule, how to make they be piped > BUT only accepted if they match any of the rules on the ruleset? Do I need > to create pipe rules for _everything_ ? >=20 > Regards, >=20 > Hugo If I understand your question, you can have any number of rules that all use a single pipe. For example, you could have something like: ipfw add pipe 1 ip from 10.0.0.0/24 to any dst-port 3333 ipfw add pipe 1 ip from 10.0.0.0/24 to www.somedomain.com ipfw add pipe 1 ip from 10.0.1.50 to any And maybe pipe 1 is configured as such: pipe 1 config bw 50Kbyte/s This actually brings me to a question of my own. The ipfw manpage talks about making sure to keep in mind that packets are checked both 'in' and 'out'. I see that some people have implemented bandwidth rules using 2 separate rules for in and out. I have a setup that uses a 'keep-state' on a single 'in' rule and it seems to work fine. What is the effective or functional difference between using two separate rules for in and out or a single rule using a keep-state? Is one more efficient than another, or would the two do totally different things? Thanks, Nathan --=20 gpg --keyserver pgp.mit.edu --recv-keys D8527E49 --ZljC5FVPx7rxDQQ8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQFAPLQ4O0ZIEthSfkkRAkI3AJ9md7i77dxQw/vKhyx+rJdgXrWs0gCg4nA/ 7zfyjPTjjkGWUGWvUisnWoE= =ys8E -----END PGP SIGNATURE----- --ZljC5FVPx7rxDQQ8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040225144200.GC11671>