Hi, On Fri, Mar 7, 2008 at 2:54 PM, Anders Häggström < [EMAIL PROTECTED]> wrote:
> Hello list! > > I have tried to solve this configuration-issue for a time now but > without success, so I'm asking if anyone can help me with an > example-ruleset or point me to some good documentation that describe > this type of setup. > > My scenario is a webserver at 10MBit/s with httpd-service, ftp-serivce > and ssh-service and I want to limit the bandwidth to 1MBit/s inbound > and 1MBit/s outbound per IP-address that is connected no matter what > service/port they use and no matter how many connections that IP has > occupied so that one visitor/user does not eat up all my bandwidth if > he/she has more bandwidth availible than my server. That's exactly what is the ipfw pipe/queue + mask syntax for. The mask parameter will allow filtering based on various specifiers like dst-ip, src-ip, dst-port, src-port, proto, etc. Check the ipfw(8) manual page. > > > An example is that "user1" connects to three different websites hosted > on my webserver and download one relese-image (large file, outbound) > and "user2" is uploading a file by ftp to the server (large file, > inbound) and "user3" is downloading a large file by ftp (outbound) and > at the same time uploading another large file by scp/ssh (inbound). In > my scenario the three users will load my server with a maximum of > 1Mbit/s each per direction. In this example a total of 2MBit/s inbound > and a total of 2MBit/s outbound even if some of the users have > 100MBit/s availible at there ISP. > I guess the following should do the job: ipfw add pipe 1 from any to me in ipfw add pipe 2 from me to any out ipfw pipe 1 config mask src-ip 0xffffffff bw 1Mbit/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1Mbit/s A pretty similar example is found even in ipfw(8) -- it's always best to check the manual at the Examples section :). A more complicated setup would have been to get a fixed bandwidth limit for the entire traffic and force the users to fairly share the bandwidth between themselves (with the same per-IP masking). That would require connecting dynamic (masked) queues to a single pipe. Regards, Adrian Penisoara ROFUG / EnterpriseBSD _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[EMAIL PROTECTED]"
