Date: Thu, 14 Sep 2006 19:35:33 +0300 From: Odhiambo WASHINGTON <odhiambo.raburu@wananchi.com> To: freebsd-ipfw@freebsd.org Subject: Bandwith Control (Newbie) Message-ID: <20060914163533.GU49058@ns2.wananchi.com>
next in thread | raw e-mail | index | archive | help
Salut! Hello Security folks, Dad, please don't cane me, please, I am innocent. I just don't know how to do it. I am a regular FreeBSD user/admin, but not a regular ipfw user. I only need ipfw on certain machines where I use IPFilter for firewalling, and more so, just for the bandwidth control. Please bear with me on this. My desire is not to learn the ipfw as a firewall tool, as I already bought into PF, but since I am still a newbie with PF, I need to use dummynet as an emergency solution to a problem I have at the moment. I hope you guys welcome lazy people into this list once in a while;) My questions. I have two situations, and two different questions. 1. I have a mail server, with just one IP address (1.2.3.4). Then I have two IP blocks (a.b.c.0/19 and d.e.f.0/20). On this mail server, which is directly connected to the Internet, I need to limit the outgoing bandwidth used by SMTP service to just 512Kbit/s, except where the destination is one of my IP blocks, the rule should NOT apply. I have the rule below, but it appears not to do what I want, as it seems to apply the rule even to destinations in my IP blocks. # smtp traffic throttle ipfw pipe 1 config bw 512Kbit/s ipfw add pipe 1 tcp from 1.2.3.4 to not a.b.c.0/19 25 ipfw add pipe 1 tcp from 1.2.3.4 to not d.e.f.0/20 25 ${fwcmd} add 65000 pass all from any to any 2. In another setup, I have a FreeBSD box acting as a router/firewall/etc for a LAN for a customer. The ISP (shit, I am the ISP) is giving the customer 256Kbps bandwidth. The firewall is IPFilter, as I have mentioned. I need to restrict the outging bandwidth for all machines (on all services) except for one host (10.0.0.251), to 128Kbit/s. The good guy should always get 128Kbit/s even when all the rest are starved. Put it another way, all LAN hosts except 10.0.0.251 should be restricted to 128Kbit/s. This leaves a half of the total bandwidth available to 10.0.0.251. I don't want this limitation to apply for LAN<->LAN traffic, just outgoing to the Internet. Is the rule below correct? # Outside (public) interface network and netmask and ip oif="bfe0" onet="4.5.6.0" omask="255.255.255.252" oip="4.5.6.1" # Inside interface network and netmask and ip iif="xl0" inet="10.0.0.0" imask="255.255.255.0" iip="10.0.0.2" ipfw pipe 1 config bw 128Kbit/s ipfw add 100 pass all from 10.0.0.251 to any out via ${oif} ipfw add pipe 1 tcp from not 10.0.0.251 to any out via ${oif} ${fwcmd} add 65000 pass all from any to any Thank you (all) very much, for your patience (with me) and time. I'll very much appreciate modifications to these rules. I concocted these so fast from ipfw man page. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington <wash@wananchi.com> Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ The fortune program is supported, in part, by user contributions and by a major grant from the National Endowment for the Inanities.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060914163533.GU49058>