From owner-freebsd-questions@FreeBSD.ORG Fri Aug 1 21:42:02 2014 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A456FA54 for ; Fri, 1 Aug 2014 21:42:02 +0000 (UTC) Received: from rootbsd.daleco.biz (daleco.biz [199.48.129.182]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 530432B08 for ; Fri, 1 Aug 2014 21:42:02 +0000 (UTC) Received: from rootbsd.daleco.biz (localhost [127.0.0.1]) by rootbsd.daleco.biz (8.14.7/8.14.7) with ESMTP id s71LW4Ch081612; Fri, 1 Aug 2014 16:32:04 -0500 (CDT) (envelope-from kevin@rootbsd.daleco.biz) Received: (from kevin@localhost) by rootbsd.daleco.biz (8.14.7/8.14.7/Submit) id s71LW2qr081611; Fri, 1 Aug 2014 16:32:02 -0500 (CDT) (envelope-from kevin) Date: Fri, 1 Aug 2014 16:32:01 -0500 From: Kevin Kinsey To: Tim Daneliuk Subject: Re: Help With ipwf Rules Message-ID: <20140801213201.GA81544@rootbsd.daleco.biz> References: <53DA8D68.9040508@tundraware.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <53DA8D68.9040508@tundraware.com> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2014 21:42:02 -0000 On Thu, Jul 31, 2014 at 01:39:36PM -0500, Tim Daneliuk wrote: > I am working on a FreeBSD 10-STABLE machine that has two NICS: > > re0 - Connects to the internet > em0 - NATs to a private flat Class C LAN (192.168...) > > There is already an IPFW ruleset in place, primarily to control > who can get in via re0 - pretty much anything is allowed out from > the FreeBSD machine itself and from the 192 network. > > I need to add a few additional ipfw rules to do the following: > > 1) Bandwidth shaping/management. I need to ensure that the total > amount of bandwidth being used by hosts on the LAN never exceeds, > say, 3 mb/sec down and 1 mb/sec up. Then I need a similar rule > for traffic originating ON the FreeBSD box itself. > See dummynet(4). It should be mentioned also in ipfw(8). The manpage says you still need to configure a kernel to use it ... I cannot confirm whether that's still true, or if that's changed significantly. It's been a while, but IIRC it will be something like: ipfw add pipe 1 ip from any to any via em0 ipfw pipe 1 config bw 3Mbit/s YMMV. I had this working sometime in the last decade on FBSD 4, up through about FBSD 7 or 2010 (whichever was later). It might be worth mentioning that plenty of voices Out There have moved on to recommending PF instead of IPFW. Hopefully this will at least point you in the somewhat correct direction. Kevin Kinsey > 2) I need to create rules that permit a VOIP phone to plug in on > the NATed LAN and still work properly. > > I am somewhat familiar with ipfw having set up the original rule set > but I am a bit unclear on how to do these two things. The help of > some kind soul with the expertise would be most appreciated ... > > > -- > ---------------------------------------------------------------------------- > Tim Daneliuk tundra@tundraware.com > PGP Key: http://www.tundraware.com/PGP/ > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"