From owner-freebsd-questions@FreeBSD.ORG  Tue Sep 12 21:13:51 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EA1FB16A416
	for <freebsd-questions@freebsd.org>;
	Tue, 12 Sep 2006 21:13:51 +0000 (UTC)
	(envelope-from list-freebsd-2004@morbius.sent.com)
Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com
	[66.111.4.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19E3043D5E
	for <freebsd-questions@freebsd.org>;
	Tue, 12 Sep 2006 21:13:46 +0000 (GMT)
	(envelope-from list-freebsd-2004@morbius.sent.com)
Received: from frontend3.internal (frontend3.internal [10.202.2.152])
	by frontend1.messagingengine.com (Postfix) with ESMTP id BBDACDA5D24;
	Tue, 12 Sep 2006 17:13:44 -0400 (EDT)
Received: from heartbeat2.internal ([10.202.2.161])
	by frontend3.internal (MEProxy); Tue, 12 Sep 2006 17:13:46 -0400
X-Sasl-enc: 0joAKIG/os3dX4Rv23QUKw55GKVRaMa+WoOxzyX4x8Ur 1158095625
Received: from [192.168.1.2] (bb-87-81-140-128.ukonline.co.uk [87.81.140.128])
	by mail.messagingengine.com (Postfix) with ESMTP id CAFA7F06A;
	Tue, 12 Sep 2006 17:13:45 -0400 (EDT)
From: RW <list-freebsd-2004@morbius.sent.com>
To: Odhiambo Washington <wash@wananchi.com>,
 freebsd-questions@freebsd.org
Date: Tue, 12 Sep 2006 22:13:41 +0100
User-Agent: KMail/1.9.3
References: <20060912194907.GA44560@ns2.wananchi.com>
In-Reply-To: <20060912194907.GA44560@ns2.wananchi.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200609122213.43164.list-freebsd-2004@morbius.sent.com>
Cc: 
Subject: Re: ipfw - bandwidth throttling (sanity check!)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2006 21:13:52 -0000

On Tuesday 12 September 2006 20:49, Odhiambo Washington wrote:
> Hello Security guy ;)
>
> I have tried very hard to understand ipfw just for the purpose of
> bandwidth throttling for smtp service.
>
> Basically, I want to throttle the bandwidth used by my SMTP
> server outbound to _anyone_ else except my ip blocks.
>
> My Server is 1.2.3.4 and my ip blocks are a.b.c.d/19 and
> e.f.g.h/20
>
>
> Are the following rules sane enough?
>
>         ipfw pipe 1 config bw 256Kbit/s
>         ipfw add pipe 1 tcp from 1.2.3.4 to not a.b.c.d/19 25
>         ipfw add pipe 1 tcp from 1.2.3.4 to not e.f.g.h/20 25

This queues all outgoing smtp to the pipe. 

You also need to set  net.inet.ip.fw.one_pass=1 to avoid the packets 
re-entering the rules on the next line.  Setting that means that the packets 
cannot pass through dynamic rules. It is possible to use dynamic rules with 
dummynet, but it's a pain.