Tamar Lea wrote:
Hello all, I have inherited the job of maintaining a FreeBSD firewall that sits behind an ADSL line that connects 128 clients to the internet. I have not used FreeBSD before but have some linux experience. The connections must be always on though I am allowed to reboot if absolutely necessary. It is using ipfilter and ipnat. There have been issues with clients taking up too much bandwidth, so after several hours of careful testing I managed to redirect all traffic on port 80 to a squid service using ipnat. This uses delay pools to limit the max speed per user. However I would also like to limit the max speed per user for streaming traffic on port 1935. Would this be possible with the current setup and what programs or config would be able to do the
Hmmm... out of the three possible choices for firewall implementations underFreeBSD you have ended up with probably the least capable one. ipfilter's unique selling point is that it is available on a large number of different
systems. In this case I don't think that really counts for much. The other two alternatives -- together with their associated QoS / traffic shaping technologies are: ipfw + dummynet This is a FreeBSD specific firewall implementation. It's a first match wins type ruleset which provides all the usual functionality: NAT, stateful filtering etc. It can be a bit tricky to manage on a live system as remote updates to the ruleset have an unfortunate tendency to lock you out of the system. pf + altqThis is the new and shiny firewall system ported from OpenBSD. It's a last match wins type ruleset, modified by 'quick' (immediately
applied) rules (similar to ipf), so more flexible than ipfw. The configuration file is also a lot more readable than ipfw IMHO. You will need to build a custom kernel to make use of ALTQ functionality as for some reason that cannot be provided by a loadable kernel module like the rest of pf(4). This would be my personal preference for solving the problem you describe. Either of these two should serve you well and allow you to do the required traffic shaping. Note: while it is technically possible to run more than one of the three firewall packages at once; that way madness lies, particularly for fledgeling administrators. It might be worth it for a short time if you really, absolutely, no alternative, have to do a zero-downtime cut-over, but the risks of something going wrong are significant. A quick restart with new software is hardly any more intrusive and a lot safer. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature