'Re: firewalling and ALTQ'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-pf
Subject:    Re: firewalling and ALTQ
From:       Max Laier <max () love2party ! net>
Date:       2007-06-19 12:01:45
Message-ID: 200706191401.56528.max () love2party ! net
[Download RAW message or body]


On Tuesday 19 June 2007, Rob Shepherd wrote:
> I've just installed FreeBSD with a view to making a traffic shaping, or
> essentially transfer capacity limiting device.
>
> This must sit on bridged interfaces between org and edge outers.

It can be difficult to wrap one's head around traffic shaping on bridges 
because of the ambiguous of IN/OUT on a bridge.  Be sure to filter on the 
member interfaces instead and apply queueing there.

> I'm having some difficulty working out which bits I need, which packet
> filter to use and how to get started.
>
> The appears to be 3 packet filters
>
> pf,ipf,ipfw
>
> is this right? ALTQ works with each?

ALTQ works with pf and can be used from ipfw, too.  You will need pf 
support regardless.  ipf does not support the ALTQ version available in 
FreeBSD at this time (afaik).  IPFW has dummynet, which can do traffic 
shaping, too.

> additionaly, I don't seem to have any /dev/ entries

kldload pf / ipf / ipfw ... or use the rc.d scripts.  e.g. "etc/rc.d/pf 
forcestart" later automate the process by flipping the right switches in 
rc.conf(5).  You can also build the firewalls into your kernel, see the 
handbook for details.  Note, that ALTQ can *not* be loaded as a module 
and requires a custom kernel instead.

> There are many tutorials, but It's impossible to know what is the
> current supported filter package, what works best with bridging and
> ALTQ and how to test them when there's bit's missing.

Feel free to write down your lessons learned and publish them ;)

-- 
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic