ipfw - bandwidth throttling (sanity check!)
RW
list-freebsd-2004 at morbius.sent.com
Tue Sep 12 14:13:52 PDT 2006
On Tuesday 12 September 2006 20:49, Odhiambo Washington wrote:
> Hello Security guy ;)
>
> I have tried very hard to understand ipfw just for the purpose of
> bandwidth throttling for smtp service.
>
> Basically, I want to throttle the bandwidth used by my SMTP
> server outbound to _anyone_ else except my ip blocks.
>
> My Server is 1.2.3.4 and my ip blocks are a.b.c.d/19 and
> e.f.g.h/20
>
>
> Are the following rules sane enough?
>
> ipfw pipe 1 config bw 256Kbit/s
> ipfw add pipe 1 tcp from 1.2.3.4 to not a.b.c.d/19 25
> ipfw add pipe 1 tcp from 1.2.3.4 to not e.f.g.h/20 25
This queues all outgoing smtp to the pipe.
You also need to set net.inet.ip.fw.one_pass=1 to avoid the packets
re-entering the rules on the next line. Setting that means that the packets
cannot pass through dynamic rules. It is possible to use dynamic rules with
dummynet, but it's a pain.
More information about the freebsd-questions
mailing list