From owner-freebsd-net Tue Jan 16 10:14:29 2001 Delivered-To: freebsd-net@freebsd.org Received: from mailout03.sul.t-online.com (mailout03.sul.t-online.com [194.25.134.81]) by hub.freebsd.org (Postfix) with ESMTP id 4EFE237B401 for ; Tue, 16 Jan 2001 10:14:10 -0800 (PST) Received: from fwd07.sul.t-online.com by mailout03.sul.t-online.com with smtp id 14IacL-00022u-09; Tue, 16 Jan 2001 19:14:01 +0100 Received: from ramses.local (320080844193-0001@[217.2.172.82]) by fmrl07.sul.t-online.com with esmtp id 14Iac0-27xpBoC; Tue, 16 Jan 2001 19:13:40 +0100 Received: from haribeau by ramses.local with local (Exim 3.12 #1 (Debian)) id 14IbZU-0000fa-00; Tue, 16 Jan 2001 20:15:08 +0100 Date: Tue, 16 Jan 2001 20:15:08 +0100 From: Clemens Hermann To: Luigi Rizzo Cc: freebsd-net@freebsd.org Subject: Re: bandwith limitation Message-ID: <20010116201508.A2261@ramses.local> Mail-Followup-To: Clemens Hermann , Luigi Rizzo , freebsd-net@freebsd.org References: <20010116194547.A1319@ramses.local> <200101161754.f0GHstB09523@iguana.aciri.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101161754.f0GHstB09523@iguana.aciri.org> von Luigi Rizzo am 16.Jan.2001 um 09:54:55 (-0800) X-Mailer: Mutt 1.2.5i (Linux 2.2.17 i586) X-Sender: 320080844193-0001@t-dialin.net Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Am 16.01.2001 um 09:54:55 schrieb Luigi Rizzo: Hi Luigi, first thanks for your hints, > > so it is definitely impossible that a packet that passes ipfw (as every > > packet does) enters the system even if ipf says "no", right? > > you have to look at the order of invokation of ipfw and ipfw > in the kernel (/sys/netinet/ip_{input,output}.c) to make > sure what happens. I am not really a C-crack :-(. The only thing I really would like to know is, if any packet has to pass ipf, no matter what ipfw sayd before (or after). If this is the case it would be blocked if necessary. I am just not sure if there could be a situation where ipfw says "o.k." and the packet passes through both tools (ipf & ipfw) no matter what ipf says. > > I have some additional questions concerning the ipfw approach: > > > > - is it in general a bad thing to have ipf/ipfw together running on one > > machine or ist it just o.k. to have ipf as firewall and IP-accounting > > and ipfw for bandwith limitations? > > it is not bad, though you end up using two different packages > and maybe do the classification twice. As far as i can tell > the only real advantage of ipf is that you can do NAT in the kernel, > for all the rest (including stateful filtering) ipfw is pretty > much on par. I used ipfw to do the filtering before but I needed IP-accounting and for this purpose ipf does a pretty cool job. In combination with ipacct I get a perfect report (devices, in-out, etc.). To drop ipf I would need something similar to do this with ipfw. Is there a way to do this? > > - does the bandwith-limitation that ipfw/dummynet offer tear down the > > effective bandwith of my server? > > that is exactly what you want to do, right ? perhaps my question was misleading. If I have 100 MBit and use the shaper could it be possible to end up with a performance of 50 MBit (or whatever) just because the shaper "eats" bandwith while doing the job? Thanks a lot for your help (and Martin's of course). I have been looking around for really a while to solve my problem and I get great help from you. /ch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message