From owner-freebsd-questions  Fri Jan  3 15:38:44 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EF3D937B401
	for <freebsd-questions@freebsd.org>; Fri,  3 Jan 2003 15:38:42 -0800 (PST)
Received: from isber.ucsb.edu (research.isber.ucsb.edu [128.111.147.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B4D8843EE1
	for <freebsd-questions@freebsd.org>; Fri,  3 Jan 2003 15:38:38 -0800 (PST)
	(envelope-from randall@isber.ucsb.edu)
Received: from localhost ([127.0.0.1] helo=research.isber.ucsb.edu)
	by isber.ucsb.edu with esmtp (Exim 3.36 #2)
	id 18UbOa-000KVl-00; Fri, 03 Jan 2003 15:38:32 -0800
Date: Fri, 3 Jan 2003 15:38:32 -0800 (PST)
From: randall ehren <randall@ucsb.edu>
To: Avleen Vig <lists-freebsd@silverwraith.com>
Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject: Re: incoming bandwidth limiting using ipfilter
In-Reply-To: <20030103153026.A17456@guava.silverwraith.com>
Message-ID: <Pine.BSF.4.33.0301031533560.78558-100000@isber.ucsb.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Scanner: exiscan *18UbOa-000KVl-00*JZR5Xv0XLRs* (ISBER - Institute for Social, Behavioral, and Economic Research)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

> > http://www.google.com/search?q=ipfilter+ipfw+together
> >  --> http://false.net/ipfilter/2000_02/0407.html
>
> This is what we settled with eventually, but the processing order for
> packets when you're using both IPF and IPFW plus ipnat is seriously
> f*rked.

not to stray too far, but if IPFW is set to allow all incoming packets and is
only used for shaping, and you have ipfilter handling nat, then it seems it
would just be:

 network card --> IPFW (traffic shape) --> IPF (filter+nat) --> userland

 i guess an internally NAT address would go back out as:
  IPF --> IPFW --> network card

 doesn't seem that bad...

 -randall

--
        :// randall s. ehren         :// voice 805.893.5632
        :// systems administrator    :// isber|survey|avss.ucsb.edu
        :// institute for social, behavioral, and economic research


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message