Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 14 Sep 2006 19:35:33 +0300
From:      Odhiambo WASHINGTON <odhiambo.raburu@wananchi.com>
To:        freebsd-ipfw@freebsd.org
Subject:   Bandwith Control (Newbie)
Message-ID:  <20060914163533.GU49058@ns2.wananchi.com>

Next in thread | Raw E-Mail | Index | Archive | Help
Salut!

Hello Security folks,

Dad, please don't cane me, please, I am innocent. I just
don't know how to do it.


I am a regular FreeBSD user/admin, but not a regular ipfw user.
I only need ipfw on certain machines where I use IPFilter for
firewalling, and more so, just for the bandwidth control.

Please bear with me on this.
My desire is not to learn the ipfw as a firewall tool, as I
already bought into PF, but since I am still a newbie with PF,
I need to use dummynet as an emergency solution to a problem I
have at the moment.

I hope you guys welcome lazy people into this list once in a while;)

My questions. I have two situations, and two different questions.

1. I have a mail server, with just one IP address (1.2.3.4). Then I 
   have two IP blocks (a.b.c.0/19 and d.e.f.0/20).

  On this mail server, which is directly connected to the Internet,
  I need to limit the outgoing bandwidth used by SMTP service to just
  512Kbit/s, except where the destination is one of my IP blocks, the
  rule should NOT apply. I have the rule below, but it appears not
  to do what I want, as it seems to apply the rule even to destinations
  in my IP blocks.

	# smtp traffic throttle
        ipfw pipe 1 config bw 512Kbit/s
        ipfw add pipe 1 tcp from 1.2.3.4 to not a.b.c.0/19 25
        ipfw add pipe 1 tcp from 1.2.3.4 to not d.e.f.0/20 25
	${fwcmd} add 65000 pass all from any to any


2. In another setup, I have a FreeBSD box acting as a router/firewall/etc
   for a LAN for a customer. The ISP (shit, I am the ISP) is giving the
   customer 256Kbps bandwidth. The firewall is IPFilter, as I have
   mentioned.

   I need to restrict the outging bandwidth for all machines (on all 
   services) except for one host (10.0.0.251), to 128Kbit/s. The 
   good guy should always get 128Kbit/s even when all the rest are
   starved. Put it another way, all LAN hosts except 10.0.0.251 should
   be restricted to 128Kbit/s. This leaves a half of the total bandwidth
   available to 10.0.0.251. I don't want this limitation to apply for
   LAN<->LAN traffic, just outgoing to the Internet.

   Is the rule below correct?

        # Outside (public) interface network and netmask and ip
        oif="bfe0"
        onet="4.5.6.0"
        omask="255.255.255.252"
        oip="4.5.6.1"

        # Inside interface network and netmask and ip
        iif="xl0"
        inet="10.0.0.0"
        imask="255.255.255.0"
        iip="10.0.0.2"


        ipfw pipe 1 config bw 128Kbit/s
        ipfw add 100 pass all from 10.0.0.251 to any out via ${oif}
        ipfw add pipe 1 tcp from not 10.0.0.251 to any out via ${oif}
        ${fwcmd} add 65000 pass all from any to any


Thank you (all) very much, for your patience (with me) and time.

I'll very much appreciate modifications to these rules. I concocted
these so fast from ipfw man page.


-Wash

http://www.netmeister.org/news/learn2quote.html

DISCLAIMER: See http://www.wananchi.com/bms/terms.php

--
+======================================================================+
    |\      _,,,---,,_     | Odhiambo Washington    <wash@wananchi.com>
Zzz /,`.-'`'    -.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_)     | GSM: +254 722 743223   +254 733 744121
+======================================================================+

The fortune program is supported, in part, by user contributions and by
a major grant from the National Endowment for the Inanities.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20060914163533.GU49058>