throttling bandwidth on different ports

Luigi Rizzo rizzo at icir.org
Thu Sep 18 05:49:13 PDT 2003 

if you want per-service differentiation then you should have
multiple queues (with different weights) point to 
the mask on the queue to include the port numbers. Something like
this (ipfw2 syntax)

# do the address check only once
ipfw -c add 1000 skipt0 1010 not src-ip 192.168.1.0/24,66.255.6.0/24
ipfw -c add 1000 queue 30 proto tcp src-port 80,443 // web
ipfw -c add 1000 queue 31 src-port 53 //  dns
ipfw -c add 1000 queue 32 // all the rest from these hosts
ipfw -c add 1010 ... // other traffic

# you can have different masks on the queues
ipfw queue 30 config weight 10 pipe 1 mask src-ip- 0xffffffff
ipfw queue 31 config weight 5 pipe 1
ipfw queue 32 config weight 1 pipe 1 mask src-ip 0x000000ff
ipfw pipe 1 config bw 200kbit/s

	cheers
	luigi

On Thu, Sep 18, 2003 at 07:54:30AM -0400, Thomas S. Crum - 1WISP, Inc. wrote:
> Hi List,
> 
> I thank anyone, in advance, who might offer some light to my question below.
> 
> At our office, we have a T1 circuit that I am trying to divy up bandwidth as
> you see below.  I would like to give a greater amount of pipe to "web"
> associated ports and allow the rest of the traffic to fall into a default
> queue, both up and down.
> 
> When I run this config it seems that the "web"
> associated ports are simply falling into the default queue, which of course
> slows everything to a crawl since the default queues are so small.
> 
> Is it possible to queue tcp traffic as I am attempting to do?
> 
> Can anyone give me some insight as to why this is happening and offer a
> solution that will accomplish what I am attempting.
> 
> I am running dummynet as a bridge behind my router and in front of
> everyhting elese on freebsd. My config is below.
> 
> ###################
> 
> # TOM'S PLAYGROUND
> 
> # DO THIS CAUSE THEY SAY ITS GOOD
> add check-state
> 
> # BLOCK BAD IP'S
> #add deny ip from 192.168.1.27 to any
> #add deny ip from any to 192.168.1.27
> 
> # Keep those nasty viruses, worms and critters away.
> add deny udp from any to any 8998
> add deny tcp from any to any 135
> add deny udp from any to any 69
> add deny tcp from any to any 4444
> add deny tcp from any to any 707
> add deny tcp from any to any 137
> add deny udp from any to any 137
> add deny tcp from any to any 138
> add deny udp from any to any 138
> add deny tcp from any to any 139
> add deny udp from any to any 139
> add deny tcp from any to any 593
> add deny udp from any to any 593
> 
> # GIVE ME FULL PIPE WHEN SSH FROM OUTSIDE
> add allow tcp from 66.255.6.221 to any 22
> add allow tcp from any to 66.255.6.221 22
> 
> # ALLOW LOCAL IP'S TO PASS W/ EACH OTHER
> add allow ip from 192.168.1.0/24 to 192.168.1.0/24
> add allow ip from 192.168.1.0/24 to 66.255.6.0/24
> add allow ip from 66.255.6.0/24 to 66.255.6.0/24
> add allow ip from 66.255.6.0/24 to 192.168.1.0/24
> 
> # MAILSERVER "DUPLEX"
> add queue 10 ip from any to 66.255.6.131
> add queue 11 ip from 66.255.6.131 to any
> queue 10 config weight 1 pipe 10 mask src-ip 0xffffffff
> queue 11 config weight 1 pipe 10 mask dst-ip 0xffffffff
> pipe 10 config bw 50Kbit/s
> 
> # EVERYBODY "DOWN 80, 443 AND 53 PORT" 80/20
> add queue 30 tcp from any to 192.168.1.0/24 80
> add queue 30 tcp from any to 66.255.6.0/24 80
> add queue 30 tcp from any to 192.168.1.0/24 53
> add queue 30 tcp from any to 66.255.6.0/24 53
> add queue 30 udp from any to 192.168.1.0/24 53
> add queue 30 udp from any to 66.255.6.0/24 53
> add queue 30 tcp from any to 192.168.1.0/24 443
> add queue 30 tcp from any to 66.255.6.0/24 443
> add queue 30 udp from any to 192.168.1.0/24 443
> add queue 30 udp from any to 66.255.6.0/24 443
> queue 30 config weight 1 pipe 30 mask dst-ip 0xffffffff
> pipe 30 config bw 960Kbit/s
> 
> # EVERYBODY "DOWN ALL PORTS"
> add queue 31 ip from any to 192.168.1.0/24
> add queue 31 ip from any to 66.255.6.0/24
> queue 31 config weight 1 pipe 31 mask dst-ip 0xffffffff
> pipe 31 config bw 240Kbit/s
> 
> # EVERYBODY "UP 80, 443 AND 53 PORT" 60/40
> add queue 32 tcp from 192.168.1.0/24 80 to any
> add queue 32 tcp from 66.255.6.0/24 80 to any
> add queue 32 tcp from 192.168.1.0/24 53 to any
> add queue 32 tcp from 66.255.6.0/24 53 to any
> add queue 32 udp from 192.168.1.0/24 53 to any
> add queue 32 udp from 66.255.6.0/24 53 to any
> add queue 32 tcp from 192.168.1.0/24 443 to any
> add queue 32 tcp from 66.255.6.0/24 443 to any
> add queue 32 udp from 192.168.1.0/24 443 to any
> add queue 32 udp from 66.255.6.0/24 443 to any
> queue 32 config weight 1 pipe 32 mask src-ip 0xffffffff
> pipe 32 config bw 150Kbit/s
> 
> # EVERYBODY "UP ALL PORTS"
> add queue 33 ip from 192.168.1.0/24 to any
> add queue 33 ip from 66.255.6.0/24 to any
> queue 33 config weight 1 pipe 33 mask src-ip 0xffffffff
> pipe 33 config bw 100Kbit/s
> 
> # THIS SHOULD MAKE DHCP WORK? PS. IT DID.
> add queue 250 ip from any to any
> queue 250 config weight 1 pipe 250 mask src-ip 0xffffffff
> pipe 250 config bw 10Kbit/s
> 
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"

More information about the freebsd-ipfw mailing list