Date: Mon, 17 Feb 2003 16:15:02 -0500 From: "Scott M. Nolde" <scott@smnolde.com> To: Claus Guttesen <cguttesen@yahoo.dk> Cc: Eivind Olsen <eivind@aminor.no>, freebsd-stable@FreeBSD.ORG Subject: Re: ipfw1 or ipfw2 in STABLE? Message-ID: <20030217211502.GH369@smnolde.com> In-Reply-To: <20030214081544.33667.qmail@web14103.mail.yahoo.com> References: <97321400.1045177521@[192.168.0.2]> <20030214081544.33667.qmail@web14103.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Claus Guttesen(cguttesen@yahoo.dk)@2003.02.14 09:15:44 +0000:
> Hi.
>
> > man-page for ipfw(8) I get the impression that
> > STABLE only uses ipfw1 by
> > default and I'll have to enable ipfw2 by adding
> > "IPFW2=TRUE" to
> > /etc/make.conf and adding "options IPFW2" to the
> > kernel config. But I can't
>
> You're assumption is correct. I am running ipfw (in
> combination with ipfilter), ipfw for traffic-shaping
> (dummynet).
>
> I wanted to prioritize both outcoming and returning
> traffic, but ipfw (ver. 1) only allowed me to
> prioritize on the port, but not distinguish on the
> direction. The keyword ipfw2 has is src- and dst-port
> as well. So I recompiled my world and kernel and
> rebooted and everything went smoothly.
>
> As an example I've pasted my setup from
> /etc/rc.firewall (firewall type [Oo][Pp][Ee][Nn]:
>
> # do some traffic-shaping, configure a pipe
> ${fwcmd} pipe 10 config bw 1Mbit/s
> ${fwcmd} pipe 20 config bw 1Mbit/s
>
> # create some queues with various weight
> ${fwcmd} queue 11 config pipe 10 weight 50
> ${fwcmd} queue 12 config pipe 10 weight 25
> ${fwcmd} queue 13 config pipe 10 weight 5
> ${fwcmd} queue 21 config pipe 20 weight 50
> ${fwcmd} queue 22 config pipe 20 weight 25
> ${fwcmd} queue 23 config pipe 20 weight 5
>
> # create some rules that will be applied to the queues
> # inside-interface
> ${fwcmd} add 340 queue 11 tcp from 192.168.1.0/24 to
> any dst-port http in recv xl0
> ${fwcmd} add 340 queue 11 tcp from 192.168.1.0/24 to
> any dst-port ssh in recv xl0
> ${fwcmd} add 340 queue 12 tcp from 192.168.1.0/24 to
> any dst-port smtp in recv xl0
> ${fwcmd} add 340 queue 12 tcp from 192.168.1.0/24 to
> any dst-port pop3 in recv xl0
> ${fwcmd} add 340 queue 13 ip from 192.168.1.0/24 to
> any in recv xl0
> # outside-interface
> ${fwcmd} add 350 queue 21 tcp from any to
> 192.168.1.0/24 src-port http in recv xl1
> ${fwcmd} add 350 queue 21 tcp from any to
> 192.168.1.0/24 src-port ssh in recv xl1
> ${fwcmd} add 350 queue 22 tcp from any to
> 192.168.1.0/24 src-port smtp in recv xl1
> ${fwcmd} add 350 queue 22 tcp from any to
> 192.168.1.0/24 src-port pop3 in recv xl1
> ${fwcmd} add 350 queue 23 ip from any to
> 192.168.1.0/24 in recv xl1
>
> Hope this helps.
>
> regards
> Claus
FWIW, I use ipfw with dummynet in combination with ipf/ipnat for packet
filtering. I've written a script which might help a causal dummynet user
set up a queuing and bandwidth limiting packet filter.
It's kinda crude, and I based it on my DHCP-using firewall. Queues and
pipes are specified by setting some parameters and running the script.
The script can be found at http://www.smnolde.com/ipfw/ipfw-queue-bw-only
--
Scott Nolde
GPG Key 0xD869AB48
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030217211502.GH369>