ipfw/dummynet question

security security at jim-liesl.org
Thu Nov 20 19:58:18 PST 2008

context is 7.1-beta2

I'm using a FreeBSD box as a router and IPFW/dummynet to simulate 3 WAN
connections.  The three networks are actually on the same lan, but have
aliased ip's on the router's NIC (router on a stick).  I've set up
bi-directional pipes for each "net" that enforce various impairments.

What I'm trying to do is have all traffic to or from "net-a" simulate a
30Mbit link, "net-b" a 20Mbit, and "net-c" a 10Mbit one.  Traffic coming
from elsewhere would not be touched until it was outbound for one of the
3 nets, and like wise, traffic coming from the 3 nets and going
elsewhere would only be touched coming in.  Traffic who's src and dst
don't match at all would fall through.  An example would be traffic from
"net-a" going to "net-c" gets passed into the router like it's on a
30Mbit link, but heads out (after routing) like it's on a 10 Mbit link

Am I on the right path or have I made some stupid assumption(s)?  I
realize I have a few extra rules that could be optimized out, but this
is probably good for the sake of readability.  Another question, is each
ip flow treated like it has it's own dedicated bw, or do all flows that
match a pipe share the b/w ?


(assume one_pass is set)
${fwcmd} add 10 skipto 100 ip from any to any in
${fwcmd} add 20 skipto 500 ip from any to any out
${fwcmd} add 100 pipe 1 ip from net-a to any
${fwcmd} add 200 pipe 2 ip from net-b to any
${fwcmd} add 300 pipe 3 ip from net-c to any
${fwcmd} add 400 skipto 65535 ip from any to any
${fwcmd} pipe 1 config bw 30Mbit/s
${fwcmd} pipe 2 config bw 20Mbit/s
${fwcmd} pipe 3 config bw 10Mbit/s
${fwcmd} add 500 pipe 4 ip from any to net-a
${fwcmd} add 600 pipe 5 ip from any to net-b
${fwcmd} add 700 pipe 6 ip from any to net-c
${fwcmd} pipe 4 config bw 30Mbit/s
${fwcmd} pipe 5 config bw 20Mbit/s
${fwcmd} pipe 6 config bw 10Mbit/s
${fwcmd} add 1000 skipto 65535 ip from any to any

More information about the freebsd-net mailing list