From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 4 09:53:45 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F345D16A4CE for ; Thu, 4 Dec 2003 09:53:44 -0800 (PST) Received: from warspite.cnchost.com (warspite.concentric.net [207.155.248.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2071C43FDD for ; Thu, 4 Dec 2003 09:53:43 -0800 (PST) (envelope-from sahafeez@edgefocus.com) Received: from [10.0.143.243] (064-186-248-138.custnet.redwired.net [64.186.248.138] (may be forged)) by warspite.cnchost.com id MAA28303; Thu, 4 Dec 2003 12:53:41 -0500 (EST) [ConcentricHost SMTP Relay 1.16] Errors-To: In-Reply-To: <0ccd01c3b9bc$3e42c7e0$5e01a8c0@1wispadmin> References: <20031201154231.M38868-100000@tyberius.abccom.bc.ca> <5C6FE088-2538-11D8-AE73-003065F1EE08@edgefocus.com> <0ccd01c3b9bc$3e42c7e0$5e01a8c0@1wispadmin> Mime-Version: 1.0 (Apple Message framework v606) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Sean Hafeez Date: Thu, 4 Dec 2003 09:53:39 -0800 To: "Thomas S. Crum - 1WISP, Inc." X-Mailer: Apple Mail (2.606) cc: freebsd-ipfw@freebsd.org Subject: Re: MAN page example vs. this? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2003 17:53:45 -0000 i am a little confused. using ipfw add pipe 1 ip from any to any in recv rl1 ipfw add pipe 2 ip from any to any out xmit rl1 ipfw pipe 1 config mask src-ip 0xffffffff bw 200kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 200kbits/s are you saying that i am limiting all traffic to lets say, www.cnn.com for all users to 200k. so the 1st person gets 200kbits and then when a second pulls down at the same time they both get 100kbits and 3 at a time is 67kbits each? if so that is not what i want to do! i would like each ip behind the firewall to be limited to a total of 200kbits to anyway all the time - the 200kbits being their max thru-put some of all apps they are running, ie smtp, pop, ftp, http. thanks! On Dec 3, 2003, at 8:40 AM, Thomas S. Crum - 1WISP, Inc. wrote: > 0xffffffff is simply matching all ips that it sees. So what it is > doing is > saying to any ip, yes you mtach my rule then it is putting it into the > pipe > and the bandwidth you specify. If only 1 ip is using it then it would > have > what you are specifying for speed, but also EVERY other ip would be > forced > into the same rule as well. If you are planning to have multiple ips, > i > would suggest queuing the traffic first then have the queue run > through the > pipe. This way all ips would shre evenly. > > Best, > Tom Crum > > > > ----- Original Message ----- > From: "Sean Hafeez" > To: "Jon Simola" > Cc: > Sent: Tuesday, December 02, 2003 9:28 PM > Subject: Re: MAN page example vs. this? > > >> Thank you for the info. One or 2 questions if I could? >> On Dec 1, 2003, at 4:03 PM, Jon Simola wrote: >>>> >>>> ipfw add pipe 1 ip from any to any in recv rl1 >>>> ipfw add pipe 2 ip from any to any out xmit rl1 >>>> ipfw pipe 1 config mask src-ip 0xffffffff bw 200kbits/s >>>> ipfw pipe 2 config mask dst-ip 0xffffffff bw 200kbits/s >>>> >>>> are these 2 examples functionally the same? if not what is the >>>> difference? >>> >>> You're forcing the interface. Be careful, as packets may flow through >>> in >>> ways you don't expect. >>> >> >> Such as? There are 2 interfaces, rl0 & rl1. rl0 is the internet side, >> rl1 the internal. What could I miss? >> >>>> also in the first example, if the network was changed to >>>> 192.168.0.0/23, the mask would be 0x000003ff (255.255.254.0) ? it >>>> is a >>>> reverse mask like a cisco, right? >>> >>> That mask has nothing to do with a network mask. It's a simple >>> bitmask, >>> used to pick out the bits in the src/dst ip/port combinations that >>> are >>> used to hash the packets into a unique bucket. >>> >>> If you used "mask src-ip 0x00000001" you would be sorting the packets >>> into >>> buckets (and queues) based on whether the source IP's last octet was >>> even >>> or odd. >> >> So 0xffffffff would match one user to one website, etc...? >> >> In doing what I am doing am I limiting each user (IP) to a total of >> 200kbits or 200kbits for each user for every pipe they open? >> >> Thanks! >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to >> "freebsd-ipfw-unsubscribe@freebsd.org" >> > >