Date: Tue, 17 Jul 2001 09:50:35 -0400 (EDT) From: Jason Borkowsky <jcborkow@tcpns.com> To: "Nickolay A.Kritsky" <nkritsky@internethelp.ru> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw pipe command Message-ID: <Pine.BSF.4.21.0107170947160.11890-100000@bemused.tcpns.com> In-Reply-To: <178267014666.20010716195103@internethelp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you for your response. After playing around with ipfw, I discovered what the problem was: I was trying various combinations of pipes, and it seems if you do not delete your pipe (using ipfw pipe delete) before trying to recreate the pipe, the pipe seems to go unused. So, for example, when I update my firewall rules, I do an ipfw flush, and then dump in the new rules. Now, instead, I have to do an ipfw pipe delete, then an ipfw flush, and then dump in the new rules including the new pipe. > JB> I have a question about using pipes in ipfw and hope this is the right > JB> forum to ask this question. > > JB> I have a FreeBSD box connected to a DSL modem at Ethernet 802.3 > JB> (10Mb/s) half duplex connection. I am running ipfw on the box, and in > JB> terms of filtering, NAT'ing, and port redirection, everything works fine. > > JB> I decided I wanted to try to use piping to bandwidth limit certain types > JB> of traffic. After reading the man pages and ipfw HOW-TO, I came up with > JB> the following simple configuration: > > JB> ipfw pipe 10 config bw 5Kbit/s queue 4Mbytes > JB> ipfw add pipe 10 tcp from x.x.x.x 41000-42000 to any out xmit fxp0 > > JB> So the first line creates a pipe that is limited to 5 Kb/s and has a queue > JB> of 4Mbytes, which should limit traffic drops for large transfers. > > JB> The next line creates a rule saying if the traffic is TCP, and is sourced > JB> from my FreeBSD box of IP address x.x.x.x and the source port is in the > JB> range of 41000-42000 and is being transmitted out my external interface > JB> (fxp0), it should use this pipe. > > JB> So now if I list the pipes, I see the following: > > JB> #ipfw pipe list 00010: 5.000 Kbit/s 0 ms 4 sl. 1 queues (1 buckets) > JB> droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > JB> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > JB> Pkt/Byte Drp > > > JB> So I have my pipe at 5Kb/s, but it doesn't look like it is being used. I > JB> then set up a test connection, use an external sniffer (SnifferPro) and > JB> monitor my traffic sessions. However, any tcp traffic in the range of > JB> 41000-42000 that is being transmitted from my machine out that interface > JB> is not being slowed to 5Kb/s, and is just grabbing all available bandwidth > JB> (11,000 to 16,000 KBYTES/s). Can anyone that uses pipes tell me what I did > JB> wrong or how to better troubleshoot this? Thanks! > Try `ipfw show' to see if the traffic really does hit the pipe. Check > your rc.firewall file to see if you have any rules that apply to such > traffic (i.e. ipfw add pass tcp from x.x.x.x 41000-42000 to any out > xmit fxp0) _before_ your "pipe" rule. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0107170947160.11890-100000>