MAN page example vs. this?

Sean Hafeez sahafeez at edgefocus.com
Thu Dec 4 09:53:45 PST 2003 

i am a little confused. using

ipfw add pipe 1 ip from any to any in recv rl1
ipfw add pipe 2 ip from any to any out xmit rl1
ipfw pipe 1 config mask src-ip 0xffffffff bw 200kbits/s
ipfw pipe 2 config mask dst-ip 0xffffffff bw 200kbits/s

are you saying that i am limiting all traffic to lets say, www.cnn.com 
for all users to 200k. so the 1st person gets 200kbits and then when a 
second pulls down at the same time they both get 100kbits and 3 at a 
time is 67kbits each? if so that is not what i want to do!

i would like each ip behind the firewall to be limited to a total of 
200kbits to anyway all the time - the 200kbits being their max thru-put 
some of all apps they are running, ie smtp, pop, ftp, http.


thanks!

On Dec 3, 2003, at 8:40 AM, Thomas S. Crum - 1WISP, Inc. wrote:

> 0xffffffff is simply matching all ips that it sees.  So what it is 
> doing is
> saying to any ip, yes you mtach my rule then it is putting it into the 
> pipe
> and the bandwidth you specify.  If only 1 ip is using it then it would 
> have
> what you are specifying for speed, but also EVERY other ip would be 
> forced
> into the same rule as well.  If you are planning to have multiple ips, 
> i
> would suggest queuing the traffic first then have the queue run 
> through the
> pipe.  This way all ips would shre evenly.
>
> Best,
> Tom Crum
>
>
>
> ----- Original Message -----
> From: "Sean Hafeez" <sahafeez at edgefocus.com>
> To: "Jon Simola" <jon at abccom.bc.ca>
> Cc: <freebsd-ipfw at freebsd.org>
> Sent: Tuesday, December 02, 2003 9:28 PM
> Subject: Re: MAN page example vs. this?
>
>
>> Thank you for the info. One or 2 questions if I could?
>> On Dec 1, 2003, at 4:03 PM, Jon Simola wrote:
>>>>
>>>> ipfw add pipe 1 ip from any to any in recv rl1
>>>> ipfw add pipe 2 ip from any to any out xmit rl1
>>>> ipfw pipe 1 config mask src-ip 0xffffffff bw 200kbits/s
>>>> ipfw pipe 2 config mask dst-ip 0xffffffff bw 200kbits/s
>>>>
>>>> are these 2 examples functionally the same? if not what is the
>>>> difference?
>>>
>>> You're forcing the interface. Be careful, as packets may flow through
>>> in
>>> ways you don't expect.
>>>
>>
>> Such as? There are 2 interfaces, rl0 & rl1. rl0 is the internet side,
>> rl1 the internal. What could I miss?
>>
>>>> also in the first example, if the network was changed to
>>>> 192.168.0.0/23, the mask would be 0x000003ff (255.255.254.0) ? it 
>>>> is a
>>>> reverse mask like a cisco, right?
>>>
>>> That mask has nothing to do with a network mask. It's a simple 
>>> bitmask,
>>> used to pick out the bits in the src/dst ip/port combinations that 
>>> are
>>> used to hash the packets into a unique bucket.
>>>
>>> If you used "mask src-ip 0x00000001" you would be sorting the packets
>>> into
>>> buckets (and queues) based on whether the source IP's last octet was
>>> even
>>> or odd.
>>
>> So 0xffffffff would match one user to one website, etc...?
>>
>> In doing what I am doing am I limiting each user (IP) to a total of
>> 200kbits or 200kbits for each user for every pipe they open?
>>
>> Thanks!
>>
>> _______________________________________________
>> freebsd-ipfw at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> To unsubscribe, send any mail to 
>> "freebsd-ipfw-unsubscribe at freebsd.org"
>>
>
>

More information about the freebsd-ipfw mailing list