From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 3 09:38:05 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23D2216A4CE for ; Wed, 3 Dec 2003 09:38:05 -0800 (PST) Received: from tyberius.abccom.bc.ca (tyberius.abccom.bc.ca [204.239.167.97]) by mx1.FreeBSD.org (Postfix) with SMTP id 6F99F43F93 for ; Wed, 3 Dec 2003 09:38:03 -0800 (PST) (envelope-from jon@abccom.bc.ca) Received: (qmail 56045 invoked by uid 1000); 3 Dec 2003 17:38:21 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 3 Dec 2003 17:38:21 -0000 Date: Wed, 3 Dec 2003 09:38:21 -0800 (PST) From: Jon Simola To: Sean Hafeez In-Reply-To: <5C6FE088-2538-11D8-AE73-003065F1EE08@edgefocus.com> Message-ID: <20031203090803.R38868-100000@tyberius.abccom.bc.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@freebsd.org Subject: Re: MAN page example vs. this? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Dec 2003 17:38:05 -0000 On Tue, 2 Dec 2003, Sean Hafeez wrote: > Thank you for the info. One or 2 questions if I could? Trying to help as much as I can. My situation is a fairly unique application I believe, so my experiences are somewhat unique as well. > > You're forcing the interface. Be careful, as packets may flow through > > in ways you don't expect. > > Such as? There are 2 interfaces, rl0 & rl1. rl0 is the internet side, > rl1 the internal. What could I miss? Well, packets destined or sourced by the firewall itself, packets flowing backwards because of spoofing, or just people plugging themselves into the network at the wrong place. I've had to be careful as my firewalling bridge (switch) has 5 interfaces, so I've placed more emphasis on keeping track of IP addresses. > > If you used "mask src-ip 0x00000001" you would be sorting the packets > > into buckets (and queues) based on whether the source IP's last octet was > > even or odd. > > So 0xffffffff would match one user to one website, etc...? That would match one user. If you only have a single /24 behind your firewall note that the following rulesets would be equivalent: ipfw pipe 1 config src-mask 0xffffffff ipfw pipe 2 config src-mask 0x000000ff ipfw pipe 1 ip from any to any recv rl1 // from the internal network ipfw pipe 2 ip from 192.168.0.0/24 to any // from an internal network The only difference that I can think of offhand for that is that a "pipe show" would give you "192.168.0.34" on pipe 1, and "0.0.0.34" on pipe 2. > In doing what I am doing am I limiting each user (IP) to a total of > 200kbits or 200kbits for each user for every pipe they open? If you wanted to do that, your pipe config would be ipfw pipe 5 config bw 200Kbits/sec mask all ipfw pipe 5 ip from any to any recv rl0 That might be entertaining to try, I've been meaning to slow down the P2P sharing around here. --- Jon Simola | "In the near future - corporate networks Systems Administrator | reach out to the stars, electrons and light ABC Communications | flow throughout the universe." -- GITS