From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 2 18:28:23 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 443C816A4CE for ; Tue, 2 Dec 2003 18:28:23 -0800 (PST) Received: from renown.cnchost.com (renown.concentric.net [207.155.248.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E8A543FE5 for ; Tue, 2 Dec 2003 18:28:22 -0800 (PST) (envelope-from sahafeez@edgefocus.com) Received: from [10.0.143.250] (064-186-248-138.custnet.redwired.net [64.186.248.138] (may be forged)) by renown.cnchost.com id VAA21902; Tue, 2 Dec 2003 21:28:21 -0500 (EST) [ConcentricHost SMTP Relay 1.16] Errors-To: In-Reply-To: <20031201154231.M38868-100000@tyberius.abccom.bc.ca> References: <20031201154231.M38868-100000@tyberius.abccom.bc.ca> Mime-Version: 1.0 (Apple Message framework v606) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <5C6FE088-2538-11D8-AE73-003065F1EE08@edgefocus.com> Content-Transfer-Encoding: 7bit From: Sean Hafeez Date: Tue, 2 Dec 2003 18:28:20 -0800 To: Jon Simola X-Mailer: Apple Mail (2.606) cc: freebsd-ipfw@freebsd.org Subject: Re: MAN page example vs. this? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Dec 2003 02:28:23 -0000 Thank you for the info. One or 2 questions if I could? On Dec 1, 2003, at 4:03 PM, Jon Simola wrote: >> >> ipfw add pipe 1 ip from any to any in recv rl1 >> ipfw add pipe 2 ip from any to any out xmit rl1 >> ipfw pipe 1 config mask src-ip 0xffffffff bw 200kbits/s >> ipfw pipe 2 config mask dst-ip 0xffffffff bw 200kbits/s >> >> are these 2 examples functionally the same? if not what is the >> difference? > > You're forcing the interface. Be careful, as packets may flow through > in > ways you don't expect. > Such as? There are 2 interfaces, rl0 & rl1. rl0 is the internet side, rl1 the internal. What could I miss? >> also in the first example, if the network was changed to >> 192.168.0.0/23, the mask would be 0x000003ff (255.255.254.0) ? it is a >> reverse mask like a cisco, right? > > That mask has nothing to do with a network mask. It's a simple bitmask, > used to pick out the bits in the src/dst ip/port combinations that are > used to hash the packets into a unique bucket. > > If you used "mask src-ip 0x00000001" you would be sorting the packets > into > buckets (and queues) based on whether the source IP's last octet was > even > or odd. So 0xffffffff would match one user to one website, etc...? In doing what I am doing am I limiting each user (IP) to a total of 200kbits or 200kbits for each user for every pipe they open? Thanks!