Date: Mon, 29 Jul 2019 19:51:34 +0200 From: Kristof Provost <kp@freebsd.org> To: Paul Webster <paul.g.webster@googlemail.com> Cc: mike tancsa <mike@sentex.net>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: pf and dummynet Message-ID: <20190729175134.GE10541@vega.codepro.be> In-Reply-To: <5d3f305f.1c69fb81.90047.531f@mx.google.com> References: <d68129cd-40a4-e065-32c3-3f574eca537e@sentex.net> <5d3f305f.1c69fb81.90047.531f@mx.google.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 2019-07-29 18:44:00 (+0100), Paul Webster via freebsd-pf <freebsd-pf@freebsd.org> wrote: > > > > Sent from Mail for Windows 10 > > > > From: mike tancsa > > Sent: 29 July 2019 17:06 > > To: freebsd-pf@freebsd.org > > Subject: pf and dummynet > > > > I have a box I need to shape inbound and outbound traffic. It seems altq > > can only shape outbound packets and not limit inbound ? If thats the > > case, what is the current state of mixing ipfw, dummynet and pf ? > > Writing large complex firewall rules works better from a readability POV > > (for us anyways) so I really prefer to use it. But I need to prevent zfs > > replication eating up BW over some WAN links, and dummynet seems to > > "just work" > > > > For ipfw I have > > > > > > 00010 6640359 9959147882 pipe 1 tcp from 192.168.128.0/20 to any > > 01000 3486901 228480912 allow ip from any to any > > > > and then checking my pf.conf rules, it seems to block and pass traffic > > as expected. > > > > Is there anything I should explicitly check ? > > > You can mix ipfw and pf, but beware of the order they are loaded (The > first one loaded is inside the second one loaded) – it may be better > in fact to compile them both in the kernel. > > You basically end up with: (pf)(ipfw)(system)(ipfw)(pf) – assuming pf > was loaded first Also beware of gotchas with things like IPv6 fragment handling or route-to. I do not consider mixing firewalls to be a supported configuration. If it breaks you get to keep the pieces. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190729175134.GE10541>