From owner-freebsd-net@FreeBSD.ORG Wed Oct 22 20:29:14 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D49C916A4C0 for ; Wed, 22 Oct 2003 20:29:14 -0700 (PDT) Received: from rackman.netvulture.com (adsl-63-197-17-60.dsl.snfc21.pacbell.net [63.197.17.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FD1643FDD for ; Wed, 22 Oct 2003 20:29:12 -0700 (PDT) (envelope-from vulture@netvulture.com) Received: from netvulture.com (bigv.netvulture.com [192.168.2.130]) h9N3T9UP034203; Wed, 22 Oct 2003 20:29:11 -0700 (PDT) Message-ID: <3F974B06.7070304@netvulture.com> Date: Wed, 22 Oct 2003 20:29:10 -0700 From: Jonathan Feally User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Aleksandar Simonovski References: <20031022161353.2deeeeeb.aleksandar@unet.com.mk> In-Reply-To: <20031022161353.2deeeeeb.aleksandar@unet.com.mk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be clean cc: freebsd-net@freebsd.org Subject: Re: gateway/firewall script X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2003 03:29:15 -0000 Your problem lies in that you are counting the traffic twice in the queue/pipe - once from the internal addr to the dst, and once from the external addr to the dst. Change your rules to specify which IP Block should get the bw limiting. I don't know if the keep-state thing is throwing it out of whack or not. Aleksandar Simonovski wrote: >this is my script, works just fine, it's purpose is to allow just www,ftp and dns requests >but i get only 6KB/s transfer with config bw 128Kbit/s, and 3KB/s with 64Kbit/s and so on >and it should be 16KB/s with 128Kbit/s and 8KB/s with 64Kbit/s and do on so is this right or >i'am missing something? > >any comments on the script would be fine > >INTINF = rl1 >EXTINF = rl0 > ># natd is running >natd -n rl0 > >#!/bin/sh >-f flush >add 1000 divert 8668 ip from any to any via rl0 >add 1200 allow ip from any to any via lo0 >add 1300 deny ip from any to 127.0.0.1/8 >add 1400 deny ip from 127.0.0.1/8 to any >add 1500 check-state >add 1550 allow icmp from any to any keep-state >add 1600 allow log udp from any to any 53 keep-state out >add 1610 allow log udp from any to any 53 keep-state in >#add 1620 allow log udp from any 53 to any keep-state in >add 1700 queue 1 log tcp from any to any 20,21 keep-state out >add 1800 queue 2 log tcp from any 20,21 to any keep-state in >add 2000 queue 3 log tcp from any to any 80 keep-state out >add 2010 queue 4 log tcp from any to any 80 keep-state in >#add 2020 queue 5 log tcp from any 80 to any keep-state in >add 2100 deny log ip from any to any >queue 1 config weight 5 pipe 1 mask all >queue 2 config weight 5 pipe 2 mask all >queue 3 config weight 5 pipe 3 mask all >queue 4 config weight 5 pipe 4 mask all >queue 5 config weight 5 pipe 5 mask all >pipe 1 config bw 128Kbit/s >pipe 2 config bw 128Kbit/s >pipe 3 config bw 128Kbit/s >pipe 4 config bw 128Kbit/s >pipe 5 config bw 128Kbit/s > >Cheers, >Aleksandar >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >