On Wednesday 13 September 2006 06:25, Odhiambo Washington wrote:
> * On 12/09/06 22:13 +0100, RW wrote:
> | On Tuesday 12 September 2006 20:49, Odhiambo Washington wrote:
> | > Hello Security guy ;)
> | >
> | > I have tried very hard to understand ipfw just for the purpose of
> | > bandwidth throttling for smtp service.
> | >
> | > Basically, I want to throttle the bandwidth used by my SMTP
> | > server outbound to _anyone_ else except my ip blocks.
> | >
> | > My Server is 1.2.3.4 and my ip blocks are a.b.c.d/19 and
> | > e.f.g.h/20
> | >
> | >
> | > Are the following rules sane enough?
> | >
> | > ipfw pipe 1 config bw 256Kbit/s
> | > ipfw add pipe 1 tcp from 1.2.3.4 to not a.b.c.d/19 25
> | > ipfw add pipe 1 tcp from 1.2.3.4 to not e.f.g.h/20 25
> |
> | This queues all outgoing smtp to the pipe.
> |
> | You also need to set net.inet.ip.fw.one_pass=1 to avoid the packets
> | re-entering the rules on the next line. Setting that means that the
> | packets cannot pass through dynamic rules. It is possible to use dynamic
> | rules with dummynet, but it's a pain.
>
> Thank you so much for clarifying that. What I wanted to be clarified is
> if it is true that "smtp traffic to a.b.c.d/19 and e.f.g.h/20" is NOT
> being put through this pipe..
The logic you have is:
(NOT in range a.b.c.d/19) OR (NOT in range e.f.g.h/20)
what you want is:
NOT ( in range a.b.c.d/19 OR in range e.f.g.h/2 )
I'm a bit rusty with IPFW, but you can probably specify multiple address
blocks in one statement - have a look at the man page.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
