Re: New natd available
On Tue, Oct 01, 2002 at 08:34:35AM +0300, Ari Suutari wrote: > Hi, > > Great to see natd maintained. As original author, I kind of miss > the long command line options (ie. something like > --daemon in addition to -d). > I used getopt(3) to parse the commandline because I hate to reinvent the wheel all the time. > The new code seems to use always a select-recvfrom combination > to get the data. Someone complained to me about the old natd performance > when that was used (the old code does not always use it). However, > I must say that I'm not sure about how much it affects performance > (having two syscalls instead of one). > In my first test I was able to nat a single ftp transfer at almost 100Mbps (10.10 MB/s) on a VIA C3 800 MHz (using 2 onboard fxp). Snapshot of top while doing transfer: last pid: 223; load averages: 0.21, 0.06, 0.02up 0+00:21:44 12:07:17 24 processes: 2 running, 22 sleeping CPU states: 2.7% user, 0.0% nice, 43.6% system, 24.1% interrupt, 29.6% idle Mem: 5712K Active, 6596K Inact, 10M Wired, 4K Cache, 6880K Buf, 217M Free Swap: 128M Total, 128M Free PID USERNAME PRI NICE SIZERES STATETIME WCPUCPU COMMAND 222 root 2 0 520K 284K RUN 0:21 34.89% 34.77% natd 84 root 2 0 2596K 1856K select 0:00 0.00% 0.00% sshd 223 root 28 0 1908K 1180K RUN 0:00 0.00% 0.00% top A single ftp transfer is probably not representative but shows the (top) performance. The new code uses the select-recvfrom combination because of the extended capabilities. A simple solution would be to set the divert sockets to nonblocking and do a select-recvfrom-recvfrom* loop as long as packets are received. If more speed is needed every syscall and packet copying should be avoided and natd/libalias should be merged into ipfw. -- :wq Claudio To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
non-transparent IPsec via a tun interface?
I have a firewall system that has a dedicated interface on which nly IPsec traffic is going out and comming in. The firewall encrypts and decrypts these packets. I am using Ipfilter on that system and I would like to filter on the unencrypted content, both incoming and outgoing. The problem is that on the "IPsec interface" I only see the encrypted traffic. Is there a way to make IPsec be non-transparent? E.g: have a /dev/tun interface that is the non-encrypted variant of the dedicated ipsec interface? (I route pakets into the tun interface and they are encrypted and put out of the real dedicated interface, and vice versa: if IPsec traffic come into the real interface, they are decrypted and send thorugh the tunnel) -Guido To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: non-transparent IPsec via a tun interface?
I have done similar to this using teh GIF interface. Each tunnel between sites had a gif interface and I firewalled for only ESP packets to and from the correct machines on the external interface, and for correct packets for permitted protocols and ports on the unencrypted data on the gif interfaces. Since then I have stoped using th e Gif interfaces and have started tunnelling using mpd across a udp connection, which in turn is IPSEC encrypted. Instead of firewalling on the gif inerfaces I now do it on the ng interface. The reason for using mpd is to use multilink PPP for the tunnels. I have multiple unnels on differnt ISPS between sites so that if one ISP gets ill (which happens a bit), the connection suffers a bandwidth degradation but is still useable. On Tue, 1 Oct 2002, Guido van Rooij wrote: > I have a firewall system that has a dedicated interface on which nly > IPsec traffic is going out and comming in. The firewall > encrypts and decrypts these packets. > > I am using Ipfilter on that system and I would like to filter on > the unencrypted content, both incoming and outgoing. > > The problem is that on the "IPsec interface" I only see the encrypted > traffic. > > Is there a way to make IPsec be non-transparent? > > E.g: have a /dev/tun interface that is the non-encrypted variant of the > dedicated ipsec interface? (I route pakets into the tun interface > and they are encrypted and put out of the real dedicated interface, > and vice versa: if IPsec traffic come into the real interface, they > are decrypted and send thorugh the tunnel) > > -Guido > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
unix routing
Hello I'm looking for a good book on unix routing (from the ground up) every routingbook I seem to find only cover IOS. There are diffrent solutions, for example gated, zebra and so on, what is most used and what can you recomend and what supports both ipv6 and ipv4 thanks /John To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Intel PRO/100 S
Hi, yesterday I bought a network card to connect a second PC to my old machine. They had only one type of card in the store so I bought it anyway, despite its rather high price of 37 Euro. Today I took a closer look. It is an Intel PRO/100 S board packaged in plastic pack, without docs. It comes with 3 wire cable labeled "BIZLINK" and has "TRIPLE DES" on a label. As far as I can tell from a bit of Google research, it features hardware encryprtion/decryption. Questions: - Can I use it under FreeBSD? - Can I make use of that hardware acceleration? - What is the 3 wire cable for? Regards, Marc To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: Bluetooth stack for FreeBSD
Hello Julian, Sorry to bug you, but are you still interested in this? Not sure if you were following but the latest snapshot (2002/09/22) is available for download at http://www.geocities.com/m_evmenkin/ I asking because you are the only person who has some interest and actually looked at the code. Also NetBSD folks (Lennart Augustsson) seem to work on Bluetooth too. Is it better for FreeBSD to wait until NetBSD stack is done and then port it back? thanks, max --- Julian Elischer <[EMAIL PROTECTED]> wrote: > what a coincidence! > > I was just discussing this with people here at USENIX and I'd like to > start the process for committing this. > > Do you think it deserves a separate directory under netgraph, > or maybe a netbluetooth directory. > > the documentation needs to be made 'commit-ready' too, as well as some > examples ready to put in /usr/share/examples/netgraph. > > > > On Thu, 13 Jun 2002, Maksim Yevmenkin wrote: > > > [cc: [EMAIL PROTECTED]] > > > > Hackers, > > > > Another developer snapshot is available at > > > > http://www.geocities.com/m_evmenkin/ngbt-fbsd-20020613.tar.gz > > > > This release is for -current DP1 only. I had to > > downgrade back to DP1 due to huge amount of changes > > in -current. > > > > Brief list of changes > > > > - Basic support for USB devices. I got myself a > > 3Com USB Bluetooth dongle (aka ToothBrush :) > > > > - Make everything GCC 3.X friendly. > > > > - Minor bug fixes > > > > As always, i would like to get some feedback. I'm very > > interested to hear from people who familiar with FreeBSD > > kernel, Netgraph, Bluetooth and/or USB. > > > > thanks, > > max > > > > __ > > Do You Yahoo!? > > Yahoo! - Official partner of 2002 FIFA World Cup > > http://fifaworldcup.yahoo.com > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > with "unsubscribe freebsd-net" in the body of the message > > > __ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: New natd available
Andre Oppermann wrote: > > In the FreeBSD May-June 2002 Status Report we have announced a natd > rewrite to make it's configuration options more powerful and support > more ip addresses to nat to. I haven't had time to look at the new natd yet, but the old one would easily get into a state where it ate up 100% of the CPU time (on our local ISI network, which has admittedly lots of strange packets on it from experiments.) http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/36183 says it was fixed in 4.5, but I've seen it with 4.6 still (not sure if the same reasons caused it though.) Has this been tested with the new natd? Lars -- Lars Eggert <[EMAIL PROTECTED]> USC Information Sciences Institute smime.p7s Description: S/MIME Cryptographic Signature
Re: Bluetooth stack for FreeBSD
On Tue, Oct 01, 2002 at 09:42:08AM -0700, Maksim Yevmenkin wrote: > Hello Julian, > > Sorry to bug you, but are you still interested in this? Not sure if you > were following but the latest snapshot (2002/09/22) is available for download > at http://www.geocities.com/m_evmenkin/ > > I asking because you are the only person who has some interest and actually > looked at the code. Also NetBSD folks (Lennart Augustsson) seem to work on > Bluetooth too. Is it better for FreeBSD to wait until NetBSD stack is done > and then port it back? > I've not taken a look at the blue tooth stuff in NetBSD, but if you're working in this area you ought to take a look at their code yourself to see how far they've got. Joe -- "As far as the laws of mathematics refer to reality, they are not certain; and as far as they are certain, they do not refer to reality." - Albert Einstein, 1921 msg06900/pgp0.pgp Description: PGP signature
Re: Intel PRO/100 S
* De: Marc Ernst Eddy van Woerkom <[EMAIL PROTECTED]> [ Data: 2002-10-01 ] [ Subjecte: Intel PRO/100 S ] > Hi, > > yesterday I bought a network card to connect a second PC > to my old machine. > They had only one type of card in the store so I bought it anyway, > despite its rather high price of 37 Euro. > > Today I took a closer look. > It is an Intel PRO/100 S board packaged in > plastic pack, without docs. > It comes with 3 wire cable labeled > "BIZLINK" and has "TRIPLE DES" on a label. > > As far as I can tell from a bit of Google > research, it features hardware encryprtion/decryption. > > Questions: > - Can I use it under FreeBSD? Yes, as an fxp(4). > - Can I make use of that hardware acceleration? Not under FreeBSD. > - What is the 3 wire cable for? For WOL. > > Regards, > Marc > > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message -- Juli Mallett <[EMAIL PROTECTED]> | FreeBSD: The Power To Serve Will break world for fulltime employment. | finger [EMAIL PROTECTED] http://people.FreeBSD.org/~jmallett/ | Support my FreeBSD hacking! To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
IPsec & Multiple WAN links
Hi, I've been running FreeBSD on 2 boxes, each with their own WAN links for over 18 months or so. Each box has its own WAN link (one uses T1 leased line to a remote site, the other uses DSL to an ISP.) The ISP link runs IPsec and racoon The other end of the IPsec tunnel is a VPN appliance. The ISP (and IPsec tunnels) is used to backup the T1. I now want to move both WAN links to one FreeBSD box (in time on Soekris HW.) I am having trouble duplicating the desired IPsec policies when both WAN links are in one box, and only one needs (should) have IPsec enabled on it. How can I define a SPD for just the interface that I need? Using setkey, spdadd doesn't let me specify which interface IPsec is to be defined for. Before: With the working config, (i.e. two boxes), since there is only one WAN link per box, the SPD (and IPsec) only exist on the box connected to the Internet. When a packet destine to a subnet routes via the T1 "leased line" box, (the normal case) things work. When this T1 is up, routing makes this the shortest path. When a packet destined to this same subnet follows the default route to the IPsec box, (e.g. T1 link is down) the SPD on the FreeBSD box applies the defined IPsec policy (e.g. tunnel & 3DES) and sends the packet to the VPN appliance at the other end of the tunnel. After: When both WAN links are in one box, the packet is always encrypted and send to the tunnel endpoint, but via the T1 link. Since the tunnel endpoint is the public side of the VPN appliance, the packet is dropped as it reaches that device via the private Ethernet port. (This is today, after I had the firewall at the remote end of the T1 stop dropping IPsec packets.) I'm running 4.6-Stable (cvsup'ed both source & ports after 4.6.2). Thanks, MikeC To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
limit to data in flight
Hi all, I'm seeing something strange here... I have a freebsd box running iperf (4.6-RELEASE-p1, iperf 1.6.2 with pthreads patches). When attempting to use a 1MB tcp window, the box won't put more than 256kB in flight after the first connection to a given host. I seem to remember hearing/reading/whatever that freebsd keeps track of congestion stats for a route in the kernel routing table and primes the congestion window for new sockets to the same destination with the previous values (thus eliminating a congestion avoidance cycle on each new socket). High-bandwidth connections between the hosts in question (the other is a linux box of indeterminate recent version) do hit congestion the first time. However, in this particular case (since this is a test machine that we use to diagnose network problems) I'd like to be able to turn it off. I didn't see anything in sysctl that looked obvious, but I'm perfectly willing to believe I missed it. So, can this be turned off? Also, what is the timeout on this data in the kernel? Thanks! --eli Eli Dart Office: (510) 495-2999 NERSC Networking and Security Group Cell: (510) 703-4508 Lawrence Berkeley National Laboratory Fax:(510) 486-4316 PGP Key fingerprint = C970 F8D3 CFDD 8FFF 5486 343A 2D31 4478 5F82 B2B3 msg06903/pgp0.pgp Description: PGP signature
Dummynet Usage Problems
i am sorry to ask such a simple question but however hard i have tried i am not getting 'dummynet' to work. i have proxy from which i would like to throttle the bandwidth of clients.the proxy acts as a router here. i use the commands ipfw add pipe 1 ip from any to 10.0.1.0/24 ipfw pipe 1 config bw 100Kbit/s but i still dont see any reduction in bw.its the same high bw it used to be.Am i doing anything wrong? I have read the docs well and i thought the above commands should work for me. Thanks in advance, Vinod __ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: Dummynet Usage Problems
Vinod wrote: > i have proxy from which i would like to throttle the > bandwidth of clients.the proxy acts as a router here. > > i use the commands > ipfw add pipe 1 ip from any to 10.0.1.0/24 > ipfw pipe 1 config bw 100Kbit/s > > but i still dont see any reduction in bw.its the same > high bw it used to be.Am i doing anything wrong? > I have read the docs well and i thought the above > commands should work for me. What does your topology look like? What are your other firewall rules? How do you measure bandwidth? Lars -- Lars Eggert <[EMAIL PROTECTED]> USC Information Sciences Institute smime.p7s Description: S/MIME Cryptographic Signature
Re: Dummynet Usage Problems
my topology loks like this: 10.0.0.8 _ _ _ Video Server | outsideswitch-proxy---clients 10.0.0.2 10.0.1.1 10.0.1.0/24 i dont have any other firewall rules.I am using Dummynet just as a packet filtering mechanism to throttle the bandwidth to certain clients.Its part of a research project. I play streaming videos(from the video server) at the clients using realplayer and the realplayer shows what bandwidth i am getting. Thanks, Vinod --- Lars Eggert <[EMAIL PROTECTED]> wrote: > Vinod wrote: > > i have proxy from which i would like to throttle > the > > bandwidth of clients.the proxy acts as a router > here. > > > > i use the commands > > ipfw add pipe 1 ip from any to 10.0.1.0/24 > > ipfw pipe 1 config bw 100Kbit/s > > > > but i still dont see any reduction in bw.its the > same > > high bw it used to be.Am i doing anything wrong? > > I have read the docs well and i thought the above > > commands should work for me. > > What does your topology look like? > What are your other firewall rules? > How do you measure bandwidth? > > Lars > -- > Lars Eggert <[EMAIL PROTECTED]> USC > Information Sciences Institute > > ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s __ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: limit to data in flight
Sorry to reply to my own post, but I have some updated info...
It appears that a host route is being cloned from the default route.
The host route has an ssthresh value associated with it, which is
picked up by subsequent connections that use this route.
We attempted to lock the ssthresh value at 0 (which would prevent its
being used) by configuring the default route with an ssthresh of 0
and locking ssthresh. (route add -lock -ssthresh 0 default )
The first connection created a host route to the destination with
rtt, ssthresh, etc identical to the default route, including the lock
on ssthresh. Subsequent connections modified the value of ssthresh,
even though there is a lock on it!
After first test:
# route get portal.astro.sunysb.edu
route to: portal.astro.sunysb.edu
destination: portal.astro.sunysb.edu
gateway: ernersc-128
interface: sk0
flags:
recvpipe sendpipe ssthresh rtt,msecrttvar hopcount mtu expire
0 0 0L0 0 0 1500 0
# route monitor
(now run the second test)
got message of size 196 on Tue Oct 1 16:12:08 2002
RTM_GET: Report Metrics: len 196, pid: 184, seq 1, errno 0,
flags:
locks: inits:
sockaddrs:
portal.astro.sunysb.edu ernersc-128 sk0:0.0.5a.99.73.64 iperf
^C
# route get portal.astro.sunysb.edu
route to: portal.astro.sunysb.edu
destination: portal.astro.sunysb.edu
gateway: ernersc-128
interface: sk0
flags:
recvpipe sendpipe ssthresh rtt,msecrttvar hopcount mtu expire
0 0221712L 72 2 0 1500 0
So, it appears that the lock is not being honored. Do I have this
right, or am I missing something somewhere? We've found a workaround
for now: edit /usr/src/sys/netinet/tcp_input.c thusly:
*** tcp_input.c.cya Tue Oct 1 15:57:35 2002
--- tcp_input.c Tue Oct 1 16:17:55 2002
***
*** 2649,2664
else
tp->snd_cwnd = mss * ss_fltsz;
! if (rt->rt_rmx.rmx_ssthresh) {
/*
* There's some sort of gateway or interface
* buffer limit on the path. Use this to set
* the slow start threshhold, but set the
* threshold to no less than 2*mss.
*/
! tp->snd_ssthresh = max(2 * mss, rt->rt_rmx.rmx_ssthresh);
! tcpstat.tcps_usedssthresh++;
! }
}
/*
--- 2649,2664
else
tp->snd_cwnd = mss * ss_fltsz;
! /*if (rt->rt_rmx.rmx_ssthresh) { */
/*
* There's some sort of gateway or interface
* buffer limit on the path. Use this to set
* the slow start threshhold, but set the
* threshold to no less than 2*mss.
*/
! /*tp->snd_ssthresh = max(2 * mss, rt->rt_rmx.rmx_ssthresh); */
! /*tcpstat.tcps_usedssthresh++; */
! /*} */
}
/*
All this does is make the tcp socket ignore any ssthresh value set on
the routeit's like cutting chopsticks with a chainsaw
Should the lock be preventing updates to ssthresh for that route?
Or, am I misinterpreting something?
--eli
In reply to Eli Dart <[EMAIL PROTECTED]> :
>
> --==_Exmh_1318550241P
> Content-Type: text/plain; charset=us-ascii
>
> Hi all,
>
> I'm seeing something strange here... I have a freebsd box running
> iperf (4.6-RELEASE-p1, iperf 1.6.2 with pthreads patches). When
> attempting to use a 1MB tcp window, the box won't put more than 256kB
> in flight after the first connection to a given host.
>
> I seem to remember hearing/reading/whatever that freebsd keeps track
> of congestion stats for a route in the kernel routing table and
> primes the congestion window for new sockets to the same destination
> with the previous values (thus eliminating a congestion avoidance
> cycle on each new socket). High-bandwidth connections between the
> hosts in question (the other is a linux box of indeterminate recent
> version) do hit congestion the first time.
>
> However, in this particular case (since this is a test machine that
> we use to diagnose network problems) I'd like to be able to turn it
> off. I didn't see anything in sysctl that looked obvious, but I'm
> perfectly willing to believe I missed it.
>
> So, can this be turned off? Also, what is the timeout on this data
> in the kernel?
>
> Thanks!
>
> --eli
msg06907/pgp0.pgp
Description: PGP signature
Re: Dummynet Usage Problems
Vinod wrote: > my topology loks like this: > > 10.0.0.8 > _ _ _ Video Server > | > outsideswitch-proxy---clients >10.0.0.2 10.0.1.1 10.0.1.0/24 > > i dont have any other firewall rules.I am using > Dummynet just as a packet filtering mechanism to > throttle the bandwidth to certain clients.Its part of > a research project. > I play streaming videos(from the video server) at the > clients using realplayer and the realplayer shows what > bandwidth i am getting. ... >> >>>i use the commands >>>ipfw add pipe 1 ip from any to 10.0.1.0/24 >>>ipfw pipe 1 config bw 100Kbit/s That looks OK. What does "ipfw show" print? Lars -- Lars Eggert <[EMAIL PROTECTED]> USC Information Sciences Institute smime.p7s Description: S/MIME Cryptographic Signature
Re: Dummynet Usage Problems
ipfw pipe 1 show prints: 1: 100.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x/0x ->0x/0x Thanks, Vinod --- Lars Eggert <[EMAIL PROTECTED]> wrote: > Vinod wrote: > > my topology loks like this: > > > > 10.0.0.8 > > _ _ _ Video Server > > | > > > outsideswitch-proxy---clients > >10.0.0.2 10.0.1.1 > 10.0.1.0/24 > > > > i dont have any other firewall rules.I am using > > Dummynet just as a packet filtering mechanism to > > throttle the bandwidth to certain clients.Its part > of > > a research project. > > I play streaming videos(from the video server) at > the > > clients using realplayer and the realplayer shows > what > > bandwidth i am getting. > ... > >> > >>>i use the commands > >>>ipfw add pipe 1 ip from any to 10.0.1.0/24 > >>>ipfw pipe 1 config bw 100Kbit/s > > That looks OK. What does "ipfw show" print? > > Lars > -- > Lars Eggert <[EMAIL PROTECTED]> USC > Information Sciences Institute > > ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s __ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: New natd available
This is great news, thank you guys. This is what I found during my testing. #1. Connecting from w2k behind the fbsd using VPN doesn't work. Using the original natd does not have this problem, #2. rdr, can we redirect udp as well? This is my conf file, divert port natd -> dp1 nat on dp1 from any to any -> interface xl1 rdr on dp1 from any to interface xl1 port 53 -> 192.168.222.1 port 53 and this is my command line /opt/natd/natd -dilrs -f /opt/natd/natd.conf I am happy to provide more information if required. > Hello all > > In the FreeBSD May-June 2002 Status Report we have announced a natd > rewrite to make it's configuration options more powerful and support > more ip addresses to nat to. > > The first functional preview is available here: > > http://diehard.n-r-g.com/stuff/freebsd/ > > Please check this out and test it with real traffic. We'd appreciate > any feedback about the syntax and any bugs. It'll get some more style > treatment before declaring it for full public consumption. > > Next in row is the tcphostcache in a couple of days. After that the > new routing table is coming. > > -- > Andre > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message -- Webbie \\|// (o o) +-oOOo-(_)-oOOo-+ EMail : mailto:webbie(at)ipfw(dot)org PGP Key: http://www.ipfw.org/pgpkey.txt PGP Fingerprint: 1379 3D8A 024E 3C0E 1962 4E12 3742 0684 C29C 3537 +---+ ..disk or the processor is on fire. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: Dummynet Usage Problems
Vinod wrote: > --- Lars Eggert <[EMAIL PROTECTED]> wrote: > >>That looks OK. What does "ipfw show" print? > ipfw pipe 1 show prints: 1: 100.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x/0x ->0x/0x *Just* "ipfw show" - I was wondering if your packets match the filter. Lars -- Lars Eggert <[EMAIL PROTECTED]> USC Information Sciences Institute smime.p7s Description: S/MIME Cryptographic Signature
Re: Dummynet Usage Problems
On Tue, 1 Oct 2002, Vinod wrote: > i use the commands > ipfw add pipe 1 ip from any to 10.0.1.0/24 > ipfw pipe 1 config bw 100Kbit/s Make sure that you don't have ipfw allow all from any to any before the rule which adds pipe 1. If so, packets will never enter the pipe. Mike "Silby" Silbersack To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
