[with additional question] Re: ipfw//dummynet question

Nathan Kinkade nkinkade at ub.edu.bz
Wed Feb 25 06:44:06 PST 2004

On Wed, Feb 25, 2004 at 06:47:30AM +0100, Hugo (6s-gaming.com) wrote:
> Hi list,
> Say I want to limit the bandwidth from all inside my lan to the outside.
> I'd create the pipes and make 2 rules to pipe any traffic (in&out). My
> question is, would creating these 2 rules make all traffic be promptly
> accepted, or would they be accepted or blocked based on the rest of the
> ruleset? If they're accepted upon the pipe rule, how to make they be piped
> BUT only accepted if they match any of the rules on the ruleset? Do I need
> to create pipe rules for _everything_ ?
> Regards,
> Hugo

If I understand your question, you can have any number of rules that all
use a single pipe.  For example, you could have something like:

ipfw add pipe 1 ip from to any dst-port 3333
ipfw add pipe 1 ip from to www.somedomain.com
ipfw add pipe 1 ip from to any

And maybe pipe 1 is configured as such:
pipe 1 config bw 50Kbyte/s

This actually brings me to a question of my own.  The ipfw manpage talks
about making sure to keep in mind that packets are checked both 'in' and
'out'.  I see that some people have implemented bandwidth rules using 2
separate rules for in and out.  I have a setup that uses a 'keep-state'
on a single 'in' rule and it seems to work fine.  What is the effective
or functional difference between using two separate rules for in and out
or a single rule using a keep-state?  Is one more efficient than
another, or would the two do totally different things?

gpg --keyserver pgp.mit.edu --recv-keys D8527E49
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040225/5424fbb0/attachment.bin

More information about the freebsd-questions mailing list