From owner-freebsd-questions@FreeBSD.ORG Mon May 4 16:45:17 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FA23106566C for ; Mon, 4 May 2009 16:45:17 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id C38D48FC17 for ; Mon, 4 May 2009 16:45:16 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id n44Gj8Zd013302; Mon, 4 May 2009 17:45:10 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.2 smtp.infracaninophile.co.uk n44Gj8Zd013302 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1241455510; bh=Zyk7c6npp/KnUNlnwSc6kPNp2MvH5q0IIVSOvNgYayE=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<49FF1B8A.3040900@infracaninophile.co.uk>|Date:=20M on,=2004=20May=202009=2017:44:58=20+0100|From:=20Matthew=20Seaman= 20|Organization:=20Infracaninophi le|User-Agent:=20Thunderbird=202.0.0.21=20(X11/20090420)|MIME-Vers ion:=201.0|To:=20Tamar=20Lea=20|CC:=20freebsd- questions@freebsd.org|Subject:=20Re:=20per=20protocol=20bandwidth= 20filters=20for=20firewall|References:=20<1ab57dc80905040833q1573f 264oe6bd77420df31c6d@mail.gmail.com>|In-Reply-To:=20<1ab57dc809050 40833q1573f264oe6bd77420df31c6d@mail.gmail.com>|X-Enigmail-Version :=200.95.6|Content-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha2 56=3B=0D=0A=20protocol=3D"application/pgp-signature"=3B=0D=0A=20bo undary=3D"------------enigFBE2095A94CF337ABE845F99"; b=dTYpcEDHyFB1J/SPdBVG8joyI69A+34RYY+V0giwrYyCCZy/Xw1MYK1G+GdF1/lTm JO2L13uquxAc2qtqiD2E5n2mZY0hHOX1piLI7+e/WsdXF0pVhHw67SNxOKuwQWFn1x C6oY97BZc2Kk7/ruvhDX9H1VxLcTxFbpH2pnkNM8= X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host localhost [IPv6:::1] claimed to be happy-idiot-talk.infracaninophile.co.uk Message-ID: <49FF1B8A.3040900@infracaninophile.co.uk> Date: Mon, 04 May 2009 17:44:58 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.21 (X11/20090420) MIME-Version: 1.0 To: Tamar Lea References: <1ab57dc80905040833q1573f264oe6bd77420df31c6d@mail.gmail.com> In-Reply-To: <1ab57dc80905040833q1573f264oe6bd77420df31c6d@mail.gmail.com> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigFBE2095A94CF337ABE845F99" X-Virus-Scanned: clamav-milter 0.95.1 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: per protocol bandwidth filters for firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 May 2009 16:45:17 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigFBE2095A94CF337ABE845F99 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Tamar Lea wrote: > Hello all, > I have inherited the job of maintaining a FreeBSD firewall that sits be= hind > an ADSL line that connects 128 clients to the internet. I have not used= > FreeBSD before but have some linux experience. The connections must be > always on though I am allowed to reboot if absolutely necessary. It is = using > ipfilter and ipnat. There have been issues with clients taking up too m= uch > bandwidth, so after several hours of careful testing I managed to redir= ect > all traffic on port 80 to a squid service using ipnat. This uses delay = pools > to limit the max speed per user. However I would also like to limit the= max > speed per user for streaming traffic on port 1935. Would this be possib= le > with the current setup and what programs or config would be able to do = the Hmmm... out of the three possible choices for firewall implementations un= der FreeBSD you have ended up with probably the least capable one. ipfilter'= s=20 unique selling point is that it is available on a large number of differe= nt systems. In this case I don't think that really counts for much. The other two alternatives -- together with their associated QoS / traffi= c shaping technologies are: ipfw + dummynet This is a FreeBSD specific firewall implementation. It's a first match wins type ruleset which provides all the usual functionality: NAT, stateful filtering etc. It can be a bit tricky to manage on a live system as remote updates to the ruleset have an unfortunate tendency to lock you out of the system. pf + altq This is the new and shiny firewall system ported from OpenBSD.=20 It's a last match wins type ruleset, modified by 'quick' (immediatel= y applied) rules (similar to ipf), so more flexible than ipfw. The configuration file is also a lot more readable than ipfw IMHO. You = will need to build a custom kernel to make use of ALTQ functionality as f= or some reason that cannot be provided by a loadable kernel module like= the rest of pf(4). This would be my personal preference for solving the= problem you describe. Either of these two should serve you well and allow you to do the require= d traffic shaping. Note: while it is technically possible to run more than= one of the three firewall packages at once; that way madness lies, partic= ularly for fledgeling administrators. It might be worth it for a short time if = you really, absolutely, no alternative, have to do a zero-downtime cut-over, = but the risks of something going wrong are significant. A quick restart with= new software is hardly any more intrusive and a lot safer. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigFBE2095A94CF337ABE845F99 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEUEAREIAAYFAkn/G5QACgkQ8Mjk52CukIzOCwCeOIi8ERGO8FvTep4UWeWS7o8J xR0AmOeOusvcQXUUAszGwWO0OTbbfFo= =M96u -----END PGP SIGNATURE----- --------------enigFBE2095A94CF337ABE845F99--