Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 1 Aug 2014 16:32:01 -0500
From:      Kevin Kinsey <>
To:        Tim Daneliuk <>
Subject:   Re: Help With ipwf Rules
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Thu, Jul 31, 2014 at 01:39:36PM -0500, Tim Daneliuk wrote:
> I am working on a FreeBSD 10-STABLE machine that has two NICS:
>     re0  - Connects to the internet
>     em0  - NATs to a private flat Class C LAN  (192.168...)
> There is already an IPFW ruleset in place, primarily to control
> who can get in via re0 - pretty much anything is allowed out from
> the FreeBSD machine itself and from the 192 network.
> I need to add a few additional ipfw rules to do the following:
> 1) Bandwidth shaping/management.   I need to ensure that the total
>     amount of bandwidth being used by hosts on the LAN never exceeds,
>     say, 3 mb/sec down and 1 mb/sec up.  Then I need a similar rule
>     for traffic originating ON the FreeBSD box itself.

See dummynet(4).  It should be mentioned also in ipfw(8).  The manpage
says you still need to configure a kernel to use it ... I cannot confirm
whether that's still true, or if that's changed significantly.

It's been a while, but IIRC it will be something like:

ipfw add pipe 1 ip from any to any via em0
ipfw pipe 1 config bw 3Mbit/s

YMMV.  I had this working sometime in the last decade on FBSD 4,
up through about FBSD 7 or 2010 (whichever was later).

It might be worth mentioning that plenty of voices Out There have
moved on to recommending PF instead of IPFW.

Hopefully this will at least point you in the somewhat correct

Kevin Kinsey

> 2) I need to create rules that permit a VOIP phone to plug in on
>     the NATed LAN and still work properly.
> I am somewhat familiar with ipfw having set up the original rule set
> but I am a bit unclear on how to do these two things.   The help of
> some kind soul with the expertise would be most appreciated ...
> -- 
> ----------------------------------------------------------------------------
> Tim Daneliuk
> PGP Key:
> _______________________________________________
> mailing list
> To unsubscribe, send any mail to ""

Want to link to this message? Use this URL: <>