From owner-freebsd-security Mon Jul 16 8:51:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from internethelp.ru (wh.internethelp.ru [212.113.112.145]) by hub.freebsd.org (Postfix) with ESMTP id 40E9037B408 for ; Mon, 16 Jul 2001 08:51:35 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from IBMKA (ibmka.internethelp.ru. [192.168.0.6]) by internethelp.ru (8.9.3/8.9.3) with ESMTP id TAA68252; Mon, 16 Jul 2001 19:50:59 +0400 (MSD) Date: Mon, 16 Jul 2001 19:51:03 +0400 From: "Nickolay A.Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A.Kritsky" Organization: IHelp X-Priority: 3 (Normal) Message-ID: <178267014666.20010716195103@internethelp.ru> To: Jason Borkowsky Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw pipe command In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Jason, Monday, July 16, 2001, 7:37:43 PM, you wrote: JB> I have a question about using pipes in ipfw and hope this is the right JB> forum to ask this question. JB> I have a FreeBSD box connected to a DSL modem at Ethernet 802.3 JB> (10Mb/s) half duplex connection. I am running ipfw on the box, and in JB> terms of filtering, NAT'ing, and port redirection, everything works fine. JB> I decided I wanted to try to use piping to bandwidth limit certain types JB> of traffic. After reading the man pages and ipfw HOW-TO, I came up with JB> the following simple configuration: JB> ipfw pipe 10 config bw 5Kbit/s queue 4Mbytes JB> ipfw add pipe 10 tcp from x.x.x.x 41000-42000 to any out xmit fxp0 JB> So the first line creates a pipe that is limited to 5 Kb/s and has a queue JB> of 4Mbytes, which should limit traffic drops for large transfers. JB> The next line creates a rule saying if the traffic is TCP, and is sourced JB> from my FreeBSD box of IP address x.x.x.x and the source port is in the JB> range of 41000-42000 and is being transmitted out my external interface JB> (fxp0), it should use this pipe. JB> So now if I list the pipes, I see the following: JB> #ipfw pipe list 00010: 5.000 Kbit/s 0 ms 4 sl. 1 queues (1 buckets) JB> droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 JB> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes JB> Pkt/Byte Drp JB> So I have my pipe at 5Kb/s, but it doesn't look like it is being used. I JB> then set up a test connection, use an external sniffer (SnifferPro) and JB> monitor my traffic sessions. However, any tcp traffic in the range of JB> 41000-42000 that is being transmitted from my machine out that interface JB> is not being slowed to 5Kb/s, and is just grabbing all available bandwidth JB> (11,000 to 16,000 KBYTES/s). Can anyone that uses pipes tell me what I did JB> wrong or how to better troubleshoot this? Thanks! JB> To Unsubscribe: send mail to majordomo@FreeBSD.org JB> with "unsubscribe freebsd-security" in the body of the message Try `ipfw show' to see if the traffic really does hit the pipe. Check your rc.firewall file to see if you have any rules that apply to such traffic (i.e. ipfw add pass tcp from x.x.x.x 41000-42000 to any out xmit fxp0) _before_ your "pipe" rule. Good luck! ;------------------------------------------- ; NKritsky ; SysAdmin InternetHelp.Ru ; http://www.internethelp.ru ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message