From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 13 19:40:39 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1BEF116A468 for ; Wed, 13 Jun 2007 19:40:39 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.243]) by mx1.freebsd.org (Postfix) with ESMTP id B8DDC13C45B for ; Wed, 13 Jun 2007 19:40:38 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so76293anc for ; Wed, 13 Jun 2007 12:40:37 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=k3M6lv1vujDn8ppaHJrI7KdULPXSK6FEEhhQjYDpR36AvQd4+r+A+NoxXTx9/rMg1msNHW9z/xjzeznSBm7wkJ4rxtvdwZjjTecmVJ6TOHbX0QCJ0EPKq+yKtl7uH/opTAD59g3YsGYbqZzDBqdpgJFm6sU8YW9/iISviP1Kkjc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=GAPw7cyNoRS0a2m4QzabinE3l+MGw/VF3SQ86uAxZA8W5UO/gEpcNls2ZmeVh5t9ezwCWyAEXnrb/VeGuWPFsCocwXzMDTjG8gsgy0ae2btztlTjo+8gTIB6riDVSrdbUO9TnQNtJV9Sip6x50B0/H7KWJ4AKMNOhaBsu51SuvU= Received: by 10.100.11.7 with SMTP id 7mr572488ank.1181763637915; Wed, 13 Jun 2007 12:40:37 -0700 (PDT) Received: by 10.100.91.12 with HTTP; Wed, 13 Jun 2007 12:40:37 -0700 (PDT) Message-ID: <937e203f0706131240o45b08b73na7bc695ac00a1123@mail.gmail.com> Date: Wed, 13 Jun 2007 21:40:37 +0200 From: "Lubomir Georgiev" <0shady0recs0@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw, pipes, queues, weights and managing an Internet connection X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2007 19:40:39 -0000 OK, so here's what I've ended up -> fxp0 is the external interface, the one on which natd is bound to. > 00001: 440.000 Kbit/s 0 ms 500 B 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 85.187.141.213/24593 10.11.0.33/3132 16906 17390616 0 > 0 2394 > ** > ** I've limited the pipe to 440 Kbit/s for the testing purposes. There > are no other pipes.* > > q00001: weight 99 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 10.11.0.33/3132 85.187.141.213/24593 374713 26638167 0 > 0 0 > q00002: weight 75 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 66.160.135.130/80 192.168.1.90/1228 2025 1825680 0 > 0 0 > q00003: weight 50 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 64.12.90.22/80 192.168.1.90/1100 9081 10419914 0 > 0 0 > > And the ruleset -> I'll try to comment the lines the same way Mark did: > 01900 queue 1 ip from any to any out proto tcp tcpflags ack iplen 0-80 > xmit fxp0 > 01905 queue 1 ip from any to any in proto tcp tcpflags ack iplen 0-80 recv > fxp0 > * Following Mark's example I let the ACK's in the first queue. > 01910 queue 1 ip from any to any out proto udp xmit fxp0 > 01911 queue 1 ip from any to any in proto udp recv fxp0 > * Again using Mark's example - this server for DNS requests > 01915 queue 1 ip from any to any in proto icmp recv fxp0 > 01920 queue 1 ip from any to any out proto icmp xmit fxp0 > * You guessed it - the dreaded ping... > 01950 queue 2 ip from 192.168.1.90 to not me > 01960 queue 2 ip from not me to 192.168.1.90 > * 192.168.1.90 is a host which I want to have priority over everything > else - except for the DNS, ACK and ping requests. > 02000 queue 3 ip from any to any src-port 80 not layer2 via fxp0 > 02100 queue 3 ip from any to any dst-port 80 not layer2 via fxp0 > * Here I give priority to the 80 port so that browsing should not feel > that something is being downloaded and is trying to eat up the pipe. > 65500 allow ip from any to any > * And here falls everything else. The interesting part about this is that > when I put that rule to fall in for ex. queue 4 /pipe 1, weight 1, least > priority/ all the others seem to not work, judging by the ping times, so I > just allowed it without setting a queue to it. > I believe that the 65500 rule and the not working of others when assigned a queue may be because I have no allow rule after the natd diver. The 1900 rule is the first one after the divert rule. I think that's the reason. Please people comment, share your thoughts and opinions - I feel that there is some difference, but I do drastically feel when there is a torrent in the background. Maybe I'm doing something wrong? If anyone has the time and the desire to test this ruleset - IT WOULD BE INVALUABLE, cuz words can only take you so far... To anyone who participates - a big thanks! -- mEsS wItH tHe bEsT dIE liKe tHe rESt