Date: Wed, 29 Mar 2006 13:09:13 -0300 (BRT) From: Marcelo Souza <mpsouza@centroin.com.br> To: Patrick Tracanelli <eksffa@freebsdbrasil.com.br> Cc: ipfw@freebsd.org Subject: Re: Single machine traffic shaping Message-ID: <20060329130847.E4053@trex.centroin.com.br> In-Reply-To: <442995DF.7060809@freebsdbrasil.com.br> References: <20060328164150.C52489@trex.centroin.com.br> <442995DF.7060809@freebsdbrasil.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
Patrick, Thank you! - Marcelo Souza On Tue, 28 Mar 2006, Patrick Tracanelli wrote: |> I.e: Is this correct, when trying to limit any single host to use just |> 128kbps/s when connecting to my sendmail? |> |> ipfw add 00100 pipe 10 tcp from any 25 to any in |> ipfw add 00105 pipe 20 tcp from any to any dst-port 25 out |> |> ipfw pipe 10 config mask src-ip 0xffffffff bw 128kbits/s |> ipfw pipe 20 config mask dst-ip 0xffffffff bw 128kbits/s | |Yes it will work as expected, try to get used to define 0x000000ff as mask for |single hosts to avoid tunelling per network by any mistake. | |> Also, should those "add pipe" come before any other rule in the ipfw |> configuration? | |It depends on "how" you are working your firewall. If it is the default |behaviour, when the sequential processing matches the pipe rule it will be |assumed as an allowed packet (as an "allow" rule). It is not true if you have |your sysctl MIB net.inet.ip.fw.one_pass=0, where after piped on dummynet the |packet is still sequentially proccessed, so it needs a rule to match the an |"allow" decision. | |With this in mind where you will put the rule depends if you need extra SMTP |filtering before or after limiting bandwidth. | |-- |Patrick Tracanelli | |FreeBSD Brasil LTDA. |(31) 3281-9633 / 3281-3547 |316601@sip.freebsdbrasil.com.br |http://www.freebsdbrasil.com.br |"Long live Hanin Elias, Kim Deal!" | |_______________________________________________ |freebsd-ipfw@freebsd.org mailing list |http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw |To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" | - Marcelo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060329130847.E4053>