per protocol bandwidth filters for firewall

Matthew Seaman m.seaman at
Mon May 4 16:45:17 UTC 2009

Tamar Lea wrote:
> Hello all,
> I have inherited the job of maintaining a FreeBSD firewall that sits behind
> an ADSL line that connects 128 clients to the internet. I have not used
> FreeBSD before but have some linux experience. The connections must be
> always on though I am allowed to reboot if absolutely necessary. It is using
> ipfilter and ipnat. There have been issues with clients taking up too much
> bandwidth, so after several hours of careful testing I managed to redirect
> all traffic on port 80 to a squid service using ipnat. This uses delay pools
> to limit the max speed per user. However I would also like to limit the max
> speed per user for streaming traffic on port 1935. Would this be possible
> with the current setup and what programs or config would be able to do the

Hmmm... out of the three possible choices for firewall implementations under
FreeBSD you have ended up with probably the least capable one.  ipfilter's 
unique selling point is that it is available on a large number of different
systems.  In this case I don't think that really counts for much.

The other two alternatives -- together with their associated QoS / traffic
shaping technologies are:

  ipfw + dummynet

     This is a FreeBSD specific firewall implementation.  It's a first
     match wins type ruleset which provides all the usual functionality:
     NAT, stateful filtering etc.  It can be a bit tricky to manage on
     a live system as remote updates to the ruleset have an unfortunate
     tendency to lock you out of the system.

  pf + altq

     This is the new and shiny firewall system ported from OpenBSD. 
     It's a last match wins type ruleset, modified by 'quick' (immediately
     applied) rules (similar to ipf), so more flexible than ipfw.  The
     configuration file is also a lot more readable than ipfw IMHO.  You will
     need to build a custom kernel to make use of ALTQ functionality as for
     some reason that cannot be provided by a loadable kernel module like the
     rest of pf(4).  This would be my personal preference for solving the
     problem you describe.

Either of these two should serve you well and allow you to do the required
traffic shaping.  Note: while it is technically possible to run more than
one of the three firewall packages at once; that way madness lies, particularly
for fledgeling administrators.  It might be worth it for a short time if you
really, absolutely, no alternative, have to do a zero-downtime cut-over, but
the risks of something going wrong are significant.  A quick restart with new
software is hardly any more intrusive and a lot safer.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list