Bandwith Control (Newbie)
Odhiambo WASHINGTON
odhiambo.raburu at wananchi.com
Thu Sep 14 09:35:37 PDT 2006
Salut!
Hello Security folks,
Dad, please don't cane me, please, I am innocent. I just
don't know how to do it.
I am a regular FreeBSD user/admin, but not a regular ipfw user.
I only need ipfw on certain machines where I use IPFilter for
firewalling, and more so, just for the bandwidth control.
Please bear with me on this.
My desire is not to learn the ipfw as a firewall tool, as I
already bought into PF, but since I am still a newbie with PF,
I need to use dummynet as an emergency solution to a problem I
have at the moment.
I hope you guys welcome lazy people into this list once in a while;)
My questions. I have two situations, and two different questions.
1. I have a mail server, with just one IP address (1.2.3.4). Then I
have two IP blocks (a.b.c.0/19 and d.e.f.0/20).
On this mail server, which is directly connected to the Internet,
I need to limit the outgoing bandwidth used by SMTP service to just
512Kbit/s, except where the destination is one of my IP blocks, the
rule should NOT apply. I have the rule below, but it appears not
to do what I want, as it seems to apply the rule even to destinations
in my IP blocks.
# smtp traffic throttle
ipfw pipe 1 config bw 512Kbit/s
ipfw add pipe 1 tcp from 1.2.3.4 to not a.b.c.0/19 25
ipfw add pipe 1 tcp from 1.2.3.4 to not d.e.f.0/20 25
${fwcmd} add 65000 pass all from any to any
2. In another setup, I have a FreeBSD box acting as a router/firewall/etc
for a LAN for a customer. The ISP (shit, I am the ISP) is giving the
customer 256Kbps bandwidth. The firewall is IPFilter, as I have
mentioned.
I need to restrict the outging bandwidth for all machines (on all
services) except for one host (10.0.0.251), to 128Kbit/s. The
good guy should always get 128Kbit/s even when all the rest are
starved. Put it another way, all LAN hosts except 10.0.0.251 should
be restricted to 128Kbit/s. This leaves a half of the total bandwidth
available to 10.0.0.251. I don't want this limitation to apply for
LAN<->LAN traffic, just outgoing to the Internet.
Is the rule below correct?
# Outside (public) interface network and netmask and ip
oif="bfe0"
onet="4.5.6.0"
omask="255.255.255.252"
oip="4.5.6.1"
# Inside interface network and netmask and ip
iif="xl0"
inet="10.0.0.0"
imask="255.255.255.0"
iip="10.0.0.2"
ipfw pipe 1 config bw 128Kbit/s
ipfw add 100 pass all from 10.0.0.251 to any out via ${oif}
ipfw add pipe 1 tcp from not 10.0.0.251 to any out via ${oif}
${fwcmd} add 65000 pass all from any to any
Thank you (all) very much, for your patience (with me) and time.
I'll very much appreciate modifications to these rules. I concocted
these so fast from ipfw man page.
-Wash
http://www.netmeister.org/news/learn2quote.html
DISCLAIMER: See http://www.wananchi.com/bms/terms.php
--
+======================================================================+
|\ _,,,---,,_ | Odhiambo Washington <wash at wananchi.com>
Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com
|,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922
'---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121
+======================================================================+
The fortune program is supported, in part, by user contributions and by
a major grant from the National Endowment for the Inanities.
More information about the freebsd-ipfw
mailing list