From owner-freebsd-security Mon Jul 16 8:37:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from tcpns.com (dsl-64-192-239-221.telocity.com [64.192.239.221]) by hub.freebsd.org (Postfix) with ESMTP id 24C5837B407 for ; Mon, 16 Jul 2001 08:37:45 -0700 (PDT) (envelope-from jcborkow@tcpns.com) Received: from localhost (jcborkow@localhost) by tcpns.com (8.11.4/8.11.4) with ESMTP id f6GFbhu09242 for ; Mon, 16 Jul 2001 11:37:44 -0400 (EDT) Date: Mon, 16 Jul 2001 11:37:43 -0400 (EDT) From: Jason Borkowsky To: freebsd-security@freebsd.org Subject: ipfw pipe command Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a question about using pipes in ipfw and hope this is the right forum to ask this question. I have a FreeBSD box connected to a DSL modem at Ethernet 802.3 (10Mb/s) half duplex connection. I am running ipfw on the box, and in terms of filtering, NAT'ing, and port redirection, everything works fine. I decided I wanted to try to use piping to bandwidth limit certain types of traffic. After reading the man pages and ipfw HOW-TO, I came up with the following simple configuration: ipfw pipe 10 config bw 5Kbit/s queue 4Mbytes ipfw add pipe 10 tcp from x.x.x.x 41000-42000 to any out xmit fxp0 So the first line creates a pipe that is limited to 5 Kb/s and has a queue of 4Mbytes, which should limit traffic drops for large transfers. The next line creates a rule saying if the traffic is TCP, and is sourced from my FreeBSD box of IP address x.x.x.x and the source port is in the range of 41000-42000 and is being transmitted out my external interface (fxp0), it should use this pipe. So now if I list the pipes, I see the following: #ipfw pipe list 00010: 5.000 Kbit/s 0 ms 4 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp So I have my pipe at 5Kb/s, but it doesn't look like it is being used. I then set up a test connection, use an external sniffer (SnifferPro) and monitor my traffic sessions. However, any tcp traffic in the range of 41000-42000 that is being transmitted from my machine out that interface is not being slowed to 5Kb/s, and is just grabbing all available bandwidth (11,000 to 16,000 KBYTES/s). Can anyone that uses pipes tell me what I did wrong or how to better troubleshoot this? Thanks! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message