Date: Wed, 3 Dec 2003 09:38:21 -0800 (PST) From: Jon Simola <jon@abccom.bc.ca> To: Sean Hafeez <sahafeez@edgefocus.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: MAN page example vs. this? Message-ID: <20031203090803.R38868-100000@tyberius.abccom.bc.ca> In-Reply-To: <5C6FE088-2538-11D8-AE73-003065F1EE08@edgefocus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2 Dec 2003, Sean Hafeez wrote: > Thank you for the info. One or 2 questions if I could? Trying to help as much as I can. My situation is a fairly unique application I believe, so my experiences are somewhat unique as well. > > You're forcing the interface. Be careful, as packets may flow through > > in ways you don't expect. > > Such as? There are 2 interfaces, rl0 & rl1. rl0 is the internet side, > rl1 the internal. What could I miss? Well, packets destined or sourced by the firewall itself, packets flowing backwards because of spoofing, or just people plugging themselves into the network at the wrong place. I've had to be careful as my firewalling bridge (switch) has 5 interfaces, so I've placed more emphasis on keeping track of IP addresses. > > If you used "mask src-ip 0x00000001" you would be sorting the packets > > into buckets (and queues) based on whether the source IP's last octet was > > even or odd. > > So 0xffffffff would match one user to one website, etc...? That would match one user. If you only have a single /24 behind your firewall note that the following rulesets would be equivalent: ipfw pipe 1 config src-mask 0xffffffff ipfw pipe 2 config src-mask 0x000000ff ipfw pipe 1 ip from any to any recv rl1 // from the internal network ipfw pipe 2 ip from 192.168.0.0/24 to any // from an internal network The only difference that I can think of offhand for that is that a "pipe show" would give you "192.168.0.34" on pipe 1, and "0.0.0.34" on pipe 2. > In doing what I am doing am I limiting each user (IP) to a total of > 200kbits or 200kbits for each user for every pipe they open? If you wanted to do that, your pipe config would be ipfw pipe 5 config bw 200Kbits/sec mask all ipfw pipe 5 ip from any to any recv rl0 That might be entertaining to try, I've been meaning to slow down the P2P sharing around here. --- Jon Simola <jon@abccom.bc.ca> | "In the near future - corporate networks Systems Administrator | reach out to the stars, electrons and light ABC Communications | flow throughout the universe." -- GITS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031203090803.R38868-100000>