I.e: Is this correct, when trying to limit any single host to use
just 128kbps/s when connecting to my sendmail?
ipfw add 00100 pipe 10 tcp from any 25 to any in
ipfw add 00105 pipe 20 tcp from any to any dst-port 25 out
ipfw pipe 10 config mask src-ip 0xffffffff bw 128kbits/s
ipfw pipe 20 config mask dst-ip 0xffffffff bw 128kbits/s
Yes it will work as expected, try to get used to define 0x000000ff as
mask for single hosts to avoid tunelling per network by any mistake.
Also, should those "add pipe" come before any other rule in the ipfw
configuration?
It depends on "how" you are working your firewall. If it is the default
behaviour, when the sequential processing matches the pipe rule it will
be assumed as an allowed packet (as an "allow" rule). It is not true if
you have your sysctl MIB net.inet.ip.fw.one_pass=0, where after piped on
dummynet the packet is still sequentially proccessed, so it needs a rule
to match the an "allow" decision.
With this in mind where you will put the rule depends if you need extra
SMTP filtering before or after limiting bandwidth.
--
Patrick Tracanelli
FreeBSD Brasil LTDA.
(31) 3281-9633 / 3281-3547
[EMAIL PROTECTED]
http://www.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
