ipfw and nic cards

Paul Civati paul at xciv.org
Mon Dec 2 11:56:33 GMT 2002


"Robin Garbutt" <rob at portfoliodesign.net> wrote:

> I have a freebsd box running ipfw with netdummy as I want to throttle
> the bandwidth useable from certain ip addresses.

I recently set up some throttling to restrict how much traffic a server
could serve.  Your situation is slightly different as you want to apply
the limits to a gateway, but it should be doable providing you adjust
the pipe rules to apply/match on certain interfaces depending on the
direction of the traffic.  I think it's best to filter on traffic
leaving (going out) of an interface.

[ add pipe IP match rule ]

# ipfw add pipe 1 ip from 172.27.5.99 to any out
00100 pipe 1 ip from 172.27.5.99 to any out

[ add pipe throttle rule ]

# ipfw pipe 1 config bw 30KBytes/s

# ipfw show
00100     0       0 pipe 1 ip from 172.27.5.99 to any
65535 12181 4773087 allow ip from any to any

# ipfw pipe show
00001: 240.000 Kbit/s    0 ms   50 sl. 0 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000

Once traffic has passed 'pipe show' will return stats:

# ipfw pipe show
00001: 240.000 Kbit/s    0 ms   50 sl. 1 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 tcp      172.27.5.99/21        172.27.5.20/65412 2824  4178586  0    0   0

> How would you set up the two nic cards need to do this?
> Do you allocate both of them ip addresses, one of them or do you use
> bridging?

Depends upon how your network is set up, with two network cards allocated
IP addresses, you are setting up a router.  In this situation you will
have two different IP blocks, one on each side of the router.  All a
router basically does is forward packets between its interfaces.

If this was say your dialup/cable/DSL gateway box then this would make
sense.  If you wanted the throttling to sit somewhere transparently in
your network, then that's when you would use a bridge, a bridge basically
transparently extends your ethernet.

Bridging works at the ethernet level, and has no knowledge of what protocols
flow across the network (IP, IPX, appletalk, etc).

Routing works at the protocol level, and is used to route a specific protocol,
ie. IP.

> as it stands, I have two networks cards seated, but only one is picked
> up when I look at ifconfig.

What type of cards are they?

-Paul-





More information about the Ukfreebsd mailing list