From owner-freebsd-ipfw Wed Nov 7 20:27:14 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from fallback.ipfnet.net (fallback.ipfnet.net [64.39.15.111]) by hub.freebsd.org (Postfix) with ESMTP id 7787237B41A for ; Wed, 7 Nov 2001 20:27:09 -0800 (PST) Received: from [192.168.2.94] (localhost.ipfnet.net [127.0.0.1]) by fallback.ipfnet.net (8.11.6/8.11.6) with ESMTP id fA84R6h80022; Wed, 7 Nov 2001 22:27:07 -0600 (CST) Date: Thu, 08 Nov 2001 05:27:05 +0100 From: alex Reply-To: alex To: Michael Loftis , freebsd-ipfw@FreeBSD.ORG Subject: Re: IPF -- IPFILTER/IPNAT + DUMMYNET? Message-ID: <1627830.1005197225@[192.168.2.94]> In-Reply-To: <3BE9DDEC.14FBBC5@wgops.com> References: <3BE9DDEC.14FBBC5@wgops.com> X-Mailer: Mulberry/2.1.0 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Michael, I'm new to ipfilter, but i use ipfw for bandwith limiting for a few months now. I compiled my Kernel with ipfw and ipfilter, now what I think i found out, is: packages run first through ipfilter, then ipfw (ifboth compiled into kernel, may vary if ipfw ist compiled in and ipfilter loaded as module) What I use, is: ipfw pipe 1 config bw 100KByte/s ipfw pipe 2 config bw 100KByte/s ipfw add pipe 1 ip from any to any out ipfw add pipe 2 ip from any to any in This is a nice duplex 100KB/sec pipe (100KB/sec in both directions) and works well, on my box :) Before this pipe rules i do some "allow all from x to y" for unlimited bandwith to our own network, i use the bandwith limiting rules just for the rest of packages for outgoing connections to the internet. if you want to limit bandwidth depend on device, let's say you want only 16KB/sec (dual ISDN) on rl0, this should work: ipfw pipe 1 config bw 16KByte/s ipfw pipe 2 config bw 16KByte/s ipfw add pipe 1 ip from any to any out xmit rl0 ipfw add pipe 2 ip from any to any in recv rl0 should limit bandwith on all packages entering system or leaving system via rl0 device. And you should have a "allow all from any to any" rule as the last rule in ipfw, otherwise the packages are droped by ipfw (assuming you do all the allow/deny filtering in ipfilter). Hope this helps, alex --On Mittwoch, 7. November 2001 17:20 -0800 Michael Loftis wrote: > OK :) HAte to bother this list with it but couldn't find out how the > interaction would work but what I was wondering is could I stick a > DUMMYNET rate limiter pipe in the path for output on a ipfilter based > firewall... If so whats the logical diagram it would follow... > > IE is it soemthing like > > INPUT<->IPNAT<->IPF<->DUMMYNET/PIPE<->IFACE<->OUTPUT > ? > > The reason I ask is I'd like to posibly utilise the rate limiter at some > point. I've had 0 success making ipfw work in any configuration, and > ipnat+ipf is a little strange but it works (NAT seems to happen before > IPFilter, which is a little odd.... but hey, whatever.) Any > clues/helps? The machine is a multi-homed and multi-ip-ed machine. > > Michael > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message