Date: Mon, 16 Jul 2001 11:37:43 -0400 (EDT) From: Jason Borkowsky <jcborkow@tcpns.com> To: freebsd-security@freebsd.org Subject: ipfw pipe command Message-ID: <Pine.BSF.4.21.0107161126520.9228-100000@bemused.tcpns.com>
next in thread | raw e-mail | index | archive | help
I have a question about using pipes in ipfw and hope this is the right forum to ask this question. I have a FreeBSD box connected to a DSL modem at Ethernet 802.3 (10Mb/s) half duplex connection. I am running ipfw on the box, and in terms of filtering, NAT'ing, and port redirection, everything works fine. I decided I wanted to try to use piping to bandwidth limit certain types of traffic. After reading the man pages and ipfw HOW-TO, I came up with the following simple configuration: ipfw pipe 10 config bw 5Kbit/s queue 4Mbytes ipfw add pipe 10 tcp from x.x.x.x 41000-42000 to any out xmit fxp0 So the first line creates a pipe that is limited to 5 Kb/s and has a queue of 4Mbytes, which should limit traffic drops for large transfers. The next line creates a rule saying if the traffic is TCP, and is sourced from my FreeBSD box of IP address x.x.x.x and the source port is in the range of 41000-42000 and is being transmitted out my external interface (fxp0), it should use this pipe. So now if I list the pipes, I see the following: #ipfw pipe list 00010: 5.000 Kbit/s 0 ms 4 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp So I have my pipe at 5Kb/s, but it doesn't look like it is being used. I then set up a test connection, use an external sniffer (SnifferPro) and monitor my traffic sessions. However, any tcp traffic in the range of 41000-42000 that is being transmitted from my machine out that interface is not being slowed to 5Kb/s, and is just grabbing all available bandwidth (11,000 to 16,000 KBYTES/s). Can anyone that uses pipes tell me what I did wrong or how to better troubleshoot this? Thanks! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0107161126520.9228-100000>