From owner-freebsd-stable Tue Sep 17 15:45:20 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECEF837B401 for ; Tue, 17 Sep 2002 15:45:18 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 64A7843E75 for ; Tue, 17 Sep 2002 15:45:18 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17rR5p-000EcY-00; Tue, 17 Sep 2002 18:45:17 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.36 #1) id 17rR5p-000ElV-00; Tue, 17 Sep 2002 18:45:17 -0400 Date: Tue, 17 Sep 2002 18:45:17 -0400 From: "Scott M. Nolde" To: Kenneth W Cochran Cc: freebsd-stable@FreeBSD.ORG Subject: Re: Traffic Shaping? Message-ID: <20020917224517.GA56724@smnolde.com> References: <0be801c25db3$97880c40$3c00010a@area51> <200209172132.RAA9570071@shell.TheWorld.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200209172132.RAA9570071@shell.TheWorld.com> User-Agent: Mutt/1.4i X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Kenneth W Cochran(kwc@TheWorld.com)@2002.09.17 17:32:25 +0000: > >Date: Tue, 17 Sep 2002 10:34:37 -0400 > >From: "Scott M. Nolde" > >To: Lasse Laursen > >Cc: freebsd-stable@FreeBSD.ORG > >Subject: Re: Traffic Shaping? > > > >As much as I hate to toot my own horn, I'll do it. I've just published a > >script for doing WF2Q+ traffic shaping at http://bsdvault.net. This > >script may be overkill for what you need, but it could help you in other > >ways and serve as an example of how to do implement traffic shaping. > > > >It's worth a read and i'm open to comments. Please post comments at > >bsdvault's site. > > > >- Scott > > (Hopefully quick) questions... > > I notice that in both your script & the one on which it is based, > there is a "duplicated" set of ingress/egress filtering rules > on either side (i.e. before & after) the natd rule. > > Why do we need both? > Wouldn't the 1st set be sufficient? I.e. Do our filtering before NAT? > > I see the purpose of that 1st set (before the divert rule) but I'm not > grokking that section immediately after. > > Thanks, > > -kc To the best of my knowledge, the second set is important since you are blocking traffic from the LAN side whatever happens to originate from the LAN. Those IP address blocks are reserved by IANA and it is very bad practice to let that traffic to the internet. These blocks or prefixes are "special use" prefixes. You can read the text mentioned in the script here: http://www.apnic.net/stats/bgp/notes/draft-manning-dsua-03.txt - Scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message