MAN page example vs. this?

Jon Simola jon at abccom.bc.ca
Wed Dec 3 09:38:05 PST 2003 

On Tue, 2 Dec 2003, Sean Hafeez wrote:

> Thank you for the info. One or 2 questions if I could?

Trying to help as much as I can. My situation is a fairly unique
application I believe, so my experiences are somewhat unique as well.

> > You're forcing the interface. Be careful, as packets may flow through
> > in ways you don't expect.
>
> Such as? There are 2 interfaces, rl0 & rl1. rl0 is the internet side,
> rl1 the internal. What could I miss?

Well, packets destined or sourced by the firewall itself, packets flowing
backwards because of spoofing, or just people plugging themselves into the
network at the wrong place. I've had to be careful as my firewalling
bridge (switch) has 5 interfaces, so I've placed more emphasis on keeping
track of IP addresses.

> > If you used "mask src-ip 0x00000001" you would be sorting the packets
> > into buckets (and queues) based on whether the source IP's last octet was
> > even or odd.
>
> So 0xffffffff would match one user to one website, etc...?

That would match one user. If you only have a single /24 behind your
firewall note that the following rulesets would be equivalent:

ipfw pipe 1 config src-mask 0xffffffff
ipfw pipe 2 config src-mask 0x000000ff
ipfw pipe 1 ip from any to any recv rl1 // from the internal network
ipfw pipe 2 ip from 192.168.0.0/24 to any // from an internal network

The only difference that I can think of offhand for that is that a "pipe
show" would give you "192.168.0.34" on pipe 1, and "0.0.0.34" on pipe 2.

> In doing what I am doing am I limiting each user (IP) to a total of
> 200kbits or 200kbits for each user for every pipe they open?

If you wanted to do that, your pipe config would be
ipfw pipe 5 config bw 200Kbits/sec mask all
ipfw pipe 5 ip from any to any recv rl0

That might be entertaining to try, I've been meaning to slow down the P2P
sharing around here.

---
Jon Simola <jon at abccom.bc.ca> | "In the near future - corporate networks
    Systems Administrator     |  reach out to the stars, electrons and light
     ABC  Communications      |  flow throughout the universe." -- GITS

More information about the freebsd-ipfw mailing list