From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 16 18:02:38 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 52BD616A469 for ; Sat, 16 Jun 2007 18:02:38 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240]) by mx1.freebsd.org (Postfix) with ESMTP id 0563213C45A for ; Sat, 16 Jun 2007 18:02:37 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so296428anc for ; Sat, 16 Jun 2007 11:02:37 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=AEJ4EMMUmESiaYa0tkpSyHzbnZdTcTC1eSRx70xr2WIKgIScASpjutwQ+FfEze7xofBw4V0RWV0yHwHm52J/oL3ylqI2JD+w2wcd72GHLOWBLIomvkZd5x/bfjdWFLDy84I2/cFbPBmFeTjALVtuVl6mWw9zUYfPtjNsyLQb280= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=ZM7O6XXXbWVyVbH8SfRKIUhSlB2mbnpkR8vIOQkDIrxEph8An/kthP7Qw/mloxoHYgo47XTDvvNZQBLHp2uAWAzM0G4fbDx/RzDXiaIfs5jtA3SI7ZuigEwbmGX96Jm7H2dPBx7cHTpYJmSUrs/zL1ztsQnGQsSQ7YblRMGZCcQ= Received: by 10.100.202.13 with SMTP id z13mr2542995anf.1182016957352; Sat, 16 Jun 2007 11:02:37 -0700 (PDT) Received: by 10.100.91.12 with HTTP; Sat, 16 Jun 2007 11:02:37 -0700 (PDT) Message-ID: <937e203f0706161102m1ffa750ble3c900aade2e1c4f@mail.gmail.com> Date: Sat, 16 Jun 2007 20:02:37 +0200 From: "Lubomir Georgiev" <0shady0recs0@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw, pipes, queues, weights and managing an Internet connection X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jun 2007 18:02:38 -0000 I'm reposting my question - there might have been some problem the previous time I sent it because I have not received ANY mail from the fbsd lists in over 4 days now... OK, so here's what I've ended up -> fxp0 is the external interface, the one on which natd is bound to. 00001: 440.000 Kbit/s 0 ms 500 B 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 85.187.141.213/24593 10.11.0.33/3132 16906 17390616 > 0 0 2394 > * I've limited the pipe to 440 Kbit/s for the testing purposes. There > are no other pipes. > > q00001: weight 99 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 10.11.0.33/3132 85.187.141.213/24593 374713 26638167 > 0 0 0 > q00002: weight 75 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 66.160.135.130/80 192.168.1.90/1228 2025 1825680 > 0 0 0 > q00003: weight 50 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 64.12.90.22/80 192.168.1.90/1100 9081 10419914 > 0 0 0 > And the ruleset -> I'll try to comment the lines the same way Mark did: 01900 queue 1 ip from any to any out proto tcp tcpflags ack iplen 0-80 > xmit fxp0 > 01905 queue 1 ip from any to any in proto tcp tcpflags ack iplen 0-80 > recv fxp0 > * Following Mark's example I let the ACK's in the first queue. > 01910 queue 1 ip from any to any out proto udp xmit fxp0 > 01911 queue 1 ip from any to any in proto udp recv fxp0 > * Again using Mark's example - this server for DNS requests > 01915 queue 1 ip from any to any in proto icmp recv fxp0 > 01920 queue 1 ip from any to any out proto icmp xmit fxp0 > * You guessed it - the dreaded ping... > 01950 queue 2 ip from 192.168.1.90 to not me > 01960 queue 2 ip from not me to 192.168.1.90 > * 192.168.1.90 is a host which I want to have priority over everything > else - except for the DNS, ACK and ping requests. > 02000 queue 3 ip from any to any src-port 80 not layer2 via fxp0 > 02100 queue 3 ip from any to any dst-port 80 not layer2 via fxp0 > * Here I give priority to the 80 port so that browsing should not > feel that something is being downloaded and is trying to eat up the pipe. > 65500 allow ip from any to any > * And here falls everything else. The interesting part about this is > that when I put that rule to fall in for ex. queue 4 /pipe 1, weight 1, > least priority/ all the others seem to not work, judging by the ping times, > so I just allowed it without setting a queue to it. > I believe that the 65500 rule and the not working of others when assigned a queue may be because I have no allow rule after the natd diver. The 1900 rule is the first one after the divert rule. I think that's the reason. Please people comment, share your thoughts and opinions - I feel that there is some difference, but I do drastically feel when there is a torrent in the background. Maybe I'm doing something wrong? If anyone has the time and the desire to test this ruleset - IT WOULD BE INVALUABLE, cuz words can only take you so far... To anyone who participates - a big thanks! -- mEsS wItH tHe bEsT dIE liKe tHe rESt