Date: Mon, 04 May 2009 17:44:58 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Tamar Lea <tamarlea@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: per protocol bandwidth filters for firewall Message-ID: <49FF1B8A.3040900@infracaninophile.co.uk> In-Reply-To: <1ab57dc80905040833q1573f264oe6bd77420df31c6d@mail.gmail.com> References: <1ab57dc80905040833q1573f264oe6bd77420df31c6d@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigFBE2095A94CF337ABE845F99
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Tamar Lea wrote:
> Hello all,
> I have inherited the job of maintaining a FreeBSD firewall that sits be=
hind
> an ADSL line that connects 128 clients to the internet. I have not used=
> FreeBSD before but have some linux experience. The connections must be
> always on though I am allowed to reboot if absolutely necessary. It is =
using
> ipfilter and ipnat. There have been issues with clients taking up too m=
uch
> bandwidth, so after several hours of careful testing I managed to redir=
ect
> all traffic on port 80 to a squid service using ipnat. This uses delay =
pools
> to limit the max speed per user. However I would also like to limit the=
max
> speed per user for streaming traffic on port 1935. Would this be possib=
le
> with the current setup and what programs or config would be able to do =
the
Hmmm... out of the three possible choices for firewall implementations un=
der
FreeBSD you have ended up with probably the least capable one. ipfilter'=
s=20
unique selling point is that it is available on a large number of differe=
nt
systems. In this case I don't think that really counts for much.
The other two alternatives -- together with their associated QoS / traffi=
c
shaping technologies are:
ipfw + dummynet
This is a FreeBSD specific firewall implementation. It's a first
match wins type ruleset which provides all the usual functionality:
NAT, stateful filtering etc. It can be a bit tricky to manage on
a live system as remote updates to the ruleset have an unfortunate
tendency to lock you out of the system.
pf + altq
This is the new and shiny firewall system ported from OpenBSD.=20
It's a last match wins type ruleset, modified by 'quick' (immediatel=
y
applied) rules (similar to ipf), so more flexible than ipfw. The
configuration file is also a lot more readable than ipfw IMHO. You =
will
need to build a custom kernel to make use of ALTQ functionality as f=
or
some reason that cannot be provided by a loadable kernel module like=
the
rest of pf(4). This would be my personal preference for solving the=
problem you describe.
Either of these two should serve you well and allow you to do the require=
d
traffic shaping. Note: while it is technically possible to run more than=
one of the three firewall packages at once; that way madness lies, partic=
ularly
for fledgeling administrators. It might be worth it for a short time if =
you
really, absolutely, no alternative, have to do a zero-downtime cut-over, =
but
the risks of something going wrong are significant. A quick restart with=
new
software is hardly any more intrusive and a lot safer.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enigFBE2095A94CF337ABE845F99
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEUEAREIAAYFAkn/G5QACgkQ8Mjk52CukIzOCwCeOIi8ERGO8FvTep4UWeWS7o8J
xR0AmOeOusvcQXUUAszGwWO0OTbbfFo=
=M96u
-----END PGP SIGNATURE-----
--------------enigFBE2095A94CF337ABE845F99--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49FF1B8A.3040900>