Date: Tue, 16 Jan 2001 20:15:08 +0100 From: Clemens Hermann <haribeau@gmx.de> To: Luigi Rizzo <rizzo@aciri.org> Cc: freebsd-net@freebsd.org Subject: Re: bandwith limitation Message-ID: <20010116201508.A2261@ramses.local> In-Reply-To: <200101161754.f0GHstB09523@iguana.aciri.org> von Luigi Rizzo <rizzo@aciri.org> am 16.Jan.2001 um 09:54:55 (-0800) References: <20010116194547.A1319@ramses.local> <200101161754.f0GHstB09523@iguana.aciri.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 16.01.2001 um 09:54:55 schrieb Luigi Rizzo:
Hi Luigi,
first thanks for your hints,
> > so it is definitely impossible that a packet that passes ipfw (as every
> > packet does) enters the system even if ipf says "no", right?
>
> you have to look at the order of invokation of ipfw and ipfw
> in the kernel (/sys/netinet/ip_{input,output}.c) to make
> sure what happens.
I am not really a C-crack :-(. The only thing I really would like to
know is, if any packet has to pass ipf, no matter what ipfw sayd before
(or after). If this is the case it would be blocked if necessary.
I am just not sure if there could be a situation where ipfw says "o.k."
and the packet passes through both tools (ipf & ipfw) no matter what ipf
says.
> > I have some additional questions concerning the ipfw approach:
> >
> > - is it in general a bad thing to have ipf/ipfw together running on one
> > machine or ist it just o.k. to have ipf as firewall and IP-accounting
> > and ipfw for bandwith limitations?
>
> it is not bad, though you end up using two different packages
> and maybe do the classification twice. As far as i can tell
> the only real advantage of ipf is that you can do NAT in the kernel,
> for all the rest (including stateful filtering) ipfw is pretty
> much on par.
I used ipfw to do the filtering before but I needed IP-accounting and
for this purpose ipf does a pretty cool job. In combination with ipacct
I get a perfect report (devices, in-out, etc.). To drop ipf I would need
something similar to do this with ipfw. Is there a way to do this?
> > - does the bandwith-limitation that ipfw/dummynet offer tear down the
> > effective bandwith of my server?
>
> that is exactly what you want to do, right ?
perhaps my question was misleading. If I have 100 MBit and use the shaper
could it be possible to end up with a performance of 50 MBit (or
whatever) just because the shaper "eats" bandwith while doing the job?
Thanks a lot for your help (and Martin's of course). I have been looking
around for really a while to solve my problem and I get great help from
you.
/ch
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010116201508.A2261>