From owner-freebsd-questions@FreeBSD.ORG Wed Sep 13 05:25:38 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4834716A40F for ; Wed, 13 Sep 2006 05:25:38 +0000 (UTC) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 822A243D55 for ; Wed, 13 Sep 2006 05:25:35 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.63 #0 (FreeBSD 4.11-STABLE)) id 1GNNFU-000ECQ-8L by authid for ; Wed, 13 Sep 2006 08:25:24 +0300 Date: Wed, 13 Sep 2006 08:25:24 +0300 From: Odhiambo Washington To: freebsd-questions@freebsd.org Message-ID: <20060913052524.GB11678@ns2.wananchi.com> Mail-Followup-To: Odhiambo Washington , freebsd-questions@freebsd.org References: <20060912194907.GA44560@ns2.wananchi.com> <200609122213.43164.list-freebsd-2004@morbius.sent.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200609122213.43164.list-freebsd-2004@morbius.sent.com> X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.12 (2006-07-14) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.12-2006-07-14 Subject: Re: ipfw - bandwidth throttling (sanity check!) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 05:25:38 -0000 * On 12/09/06 22:13 +0100, RW wrote: | On Tuesday 12 September 2006 20:49, Odhiambo Washington wrote: | > Hello Security guy ;) | > | > I have tried very hard to understand ipfw just for the purpose of | > bandwidth throttling for smtp service. | > | > Basically, I want to throttle the bandwidth used by my SMTP | > server outbound to _anyone_ else except my ip blocks. | > | > My Server is 1.2.3.4 and my ip blocks are a.b.c.d/19 and | > e.f.g.h/20 | > | > | > Are the following rules sane enough? | > | > ipfw pipe 1 config bw 256Kbit/s | > ipfw add pipe 1 tcp from 1.2.3.4 to not a.b.c.d/19 25 | > ipfw add pipe 1 tcp from 1.2.3.4 to not e.f.g.h/20 25 | | This queues all outgoing smtp to the pipe. | | You also need to set net.inet.ip.fw.one_pass=1 to avoid the packets | re-entering the rules on the next line. Setting that means that the packets | cannot pass through dynamic rules. It is possible to use dynamic rules with | dummynet, but it's a pain. Thank you so much for clarifying that. What I wanted to be clarified is if it is true that "smtp traffic to a.b.c.d/19 and e.f.g.h/20" is NOT being put through this pipe.. net.inet.ip.fw.one_pass=1 seems to be the default on my system. Not sure why, but I will RTFM about it. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ If only one could get that wonderful feeling of accomplishment without having to accomplish anything.