From owner-freebsd-net@FreeBSD.ORG Fri Jun 27 20:27:14 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDB371065677 for ; Fri, 27 Jun 2008 20:27:14 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.31]) by mx1.freebsd.org (Postfix) with ESMTP id 9D76F8FC19 for ; Fri, 27 Jun 2008 20:27:14 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so244044ywe.13 for ; Fri, 27 Jun 2008 13:27:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=rsntnIJ5l769WxfIHuMp9x18ip7LyliQeOJgrBODMSo=; b=AVB8Lly73U4qEth2t08srQqsuFzgXbERjpI2d4S2m+jA3q/nmZ/VC99QuhTcCiQ+QC voSeZRy8HLaSe+/45UqoL4eoMrbaM4nWZ3NDMwo6tbJjDXZCdQ9MO7Y6E2zOMkfFYHGw sy/PFKVcf3tam8pDWmy623LFxFdr/2R3UsP30= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=J81dCFPOAz4Mx177Vyl1rGuGYocn1OqpUBeEpTWyhGvfgRL5k+t4ZNzsRXmKaTBlUv Mp0hIR1BFTOMQgGSAU70GG6iIerw+FKorUExJXl/H7rfipXOELuXwY7bVjf2ys4wGeXv RVl1CqEMUojGCo14fkAUYswMdgr8T7S/Lq2Io= Received: by 10.150.122.13 with SMTP id u13mr2797315ybc.180.1214596888443; Fri, 27 Jun 2008 13:01:28 -0700 (PDT) Received: by 10.151.154.17 with HTTP; Fri, 27 Jun 2008 13:01:28 -0700 (PDT) Message-ID: Date: Fri, 27 Jun 2008 13:01:28 -0700 From: "Freddie Cash" To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Understanding where dummynet fits into an ipfw ruleset X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jun 2008 20:27:14 -0000 I'm trying to figure out how traffic shaping using dummynet fits into an ipfw ruleset. Mainly, I'm wondering where to put the "ipfw queue" rules (the ones that send the packets to dummynet), in relation to the packet filtering rules, or if it even matters. For instance, do the queue rules apply to all the rules in the set, or only to rules that follow after the queue rules (numerically)? Say I've got a firewall setup that does 1:1 NAT for a bunch of servers (allow incoming/outgoing traffic), as well as 1:many NAT for the workstations (allow outgoing) on the LAN. I want to add traffic shaping rules that give traffic from the workstations to specific IPs greater weight than general traffic from the workstations to the Internet (ie reserve 25% of the bandwidth for important services). Would I put the queue rules at the start of the ruleset or the end? Or in the middle, just above the rules for the workstations? Do I add them after all the bad packet checks and general deny rules that are at the top of the ruleset? Just wondering how the queue rules interact with the general packet filter rules, since they can have the same parameters. Thanks. -- Freddie Cash fjwcash@gmail.com