once again: rules for natd+ipfw+dummynet

[Martins Dzelde]

hi,
i've been searching the web and reading manuals and i cannot figure if i  
am setting up my freebsd box correctly. And now i have many question, hope  
somen out there have answers for some of them.
So, the system I am aiming to:

+(>
|[Internet Antenna](>
| real ip address: x.x.x.94
| routed network: x.x.x.64/255.255.255.224
+
|
|
+
| [FreeBSD box]
| rl2 -> x.x.x.93 ^connected to antenna
| rl1 -> no ip address, bridging rl2,rl1 (?) to local network >connected  
to LAN
| rl0 -> 192.168.29.1 (sharing rl2 with natd+dhcp for  
192.168.29.0/255.255.255.0) >connected to LAN
|
+
| [LAN]
| few real&virtual ip addreses with special bandwidth
|/\/\/+


Currently the system described above is working but somehow all the  
traffic is consumed completly and I have no ideas if the traffic is goes  
withing the real ip address zone (x.x.x.64/27) since there are some  
servers running there or the traffic is consumed in the virtual network  
(192.168.29.0/24). Or maybe there is a virus in a computer flooding all  
the net!

so the problems & questions:
1) how to correctly build euqualy weighted traffic shaping for the network  
(x.x.x.64/27) and for (192.168.29.0/24) with few ip address exception for  
both networks;
2) how to prevent from flooding network with some kind of virus;
3) which program to use to monitor that everything is shaping correctly,  
should i better use iftop, bandwidthd or ipfm ?
4) can i do access control per mac address with ipfw, how ? or should i  
use arp tables?


the currents script for rules are:

#external interface
EXTIF=rl2
NATIF=rl0

ipfw pipe 1 config bw 8192kbit/s

# queue for a server using real ip
ipfw queue 1 config pipe 1 weight 30
ipfw add 350 queue 1 ip from x.x.x.66/32 to any out via $EXTIF
ipfw add 351 queue 1 ip from any to x.x.x.66/32 in via $EXTIF

# queue for real ip zone
ipfw queue 2 config pipe 1 weight 30
ipfw add 400 queue 2 ip from x.x.x.64/27 to any out via $EXTIF
ipfw add 401 queue 2 ip from any to x.x.x.64/27 in via $EXTIF
# shape traffic equally
ipfw queue 2 config pipe 1 mask src-ip 0xffffe0
ipfw queue 2 config pipe 1 mask dst-ip 0xffffe0

# queue for 192.168.29.1/24
ipfw queue 3 config pipe 1 weight 30
ipfw add 500 queue 2 ip from 192.168.29.0/24 to any out via $EXTIF
ipfw add 501 queue 2 ip from any to 192.168.29.0/24 in via $EXTIF
# shape traffic equally
ipfw queue 3 config pipe 1 mask src-ip 0xffff00
ipfw queue 3 config pipe 1 mask dst-ip 0xffff00



i feel there are many mistekes in the script above... so, please, help.
and another question:
what flags should i enable or disable using sysctl ?

sysctl net.inet.ip.fw.enable=1
sysctl net.link.ether.ipfw=1
sysctl net.link.ether.bridge.enable=1
sysctl net.link.ether.bridge.config="rl2 rl1" ## <-- should i add rl0  
(192.168...) too ?
sysctl net.link.ether.bridge.ipfw=1
sysctl net.inet.ip.fw.one_pass=0 # should i set this to 1 ?

Hope you have an answer for at least one question.
Thanks,
Martins.