From owner-freebsd-questions Fri Jan 4 10:12:27 2002 Delivered-To: freebsd-questions@freebsd.org Received: from marlo.eagle.ca (marlo.eagle.ca [209.167.16.10]) by hub.freebsd.org (Postfix) with ESMTP id BD6A737B41B for ; Fri, 4 Jan 2002 10:12:22 -0800 (PST) Received: from Bob (staff.eagle.ca [209.167.16.15]) by marlo.eagle.ca (8.11.3/8.11.3) with ESMTP id g04ICo748964 for ; Fri, 4 Jan 2002 13:12:50 -0500 (EST) (envelope-from freymann@eagle.ca) From: "Gerald T. Freymann" To: freebsd-questions@freebsd.org Date: Fri, 4 Jan 2002 13:13:18 -0500 MIME-Version: 1.0 Subject: Freebsd in bridge mode with dummynet + ipfw Message-ID: <3C35AA6E.2785.F55512@localhost> X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have need to set up a FreeBSD box to act as a bridge where the main purpose is to limit bandwidth, but also filtering packets based on port numbers would be handy too. I am recompiling the kernel now with options BRIDGE options DUMMYNET and I have two network cards that are recognized and working fine. I have set, in /etc/rc.conf firewall_enable="YES" firewall_type="open" And adjusted the "open" section of rc.firewall as follows: ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any # If you're using 'options BRIDGE', uncomment the following line to # pass ARP #${fwcmd} add 400 pass udp from 0.0.0.0 2054 to 0.0.0.0 # Prototype setups. # case ${firewall_type} in [Oo][Pp][Ee][Nn]) ${fwcmd} add pipe 1 ip from any to any out ${fwcmd} add pipe 2 ip from any to any in ${fwcmd} pipe 1 config bw 1000Kbit/s ${fwcmd} pipe 2 config bw 1000Kbit/s # this blocks Bearshare, Limewire ${fwcmd} add deny tcp 6346 from any to any # this blocks Morpheus ${fwcmd} add deny tcp 1214 from any to any ${fwcmd} add 65000 pass all from any to any ;; And lastly, in /etc/sysctl.conf net.link.ether.bridge=1 net.link.ether.bridge_ipfw=1 net.link.ether.bridge_cfg vr0:0,xl0:0 I do have a 'live' IP number on just *one* of the NICS so we can telnet to the box and monitor from time to time. I guess my questions are: 1) is this all there is to it? (gotta luv FreeBSD!) 2) are the firewall rules ok. Yes, we're giving this client lots of up/down bandwidth but need to limit them as they've been using close to 3000Kbit/s! Any feedback would be appreciated as this is my first time using FreeBSD in this configuration (although I've been using FreeBSD for about 6 years now). gf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message