On Wed, 20 Sep 2006 14:20:19 +0300
Nikos Vassiliadis <[EMAIL PROTECTED]> wrote:

> On Tuesday 19 September 2006 18:24, Norberto Meijome wrote:
> > hi there :)
> > I was planning to migrate a 4.11 firewall using a combo of ipf/ipnat and
> > ipfw pipe/dummynets to pf + ALTQ.
> pf/ipf/ipfw & dummynet/ALTQ are available since 5.3-R if I recall correctly.

Yes, of course - sorry, i meant to say 'I have a 4.11 which will be upgrading
to 6.2' :) thanks for making me right.

> > One thing I haven't figured out how to do with pf is the plr option to the
> > dummynet configuration - we use it to simulate modem connections or just
> > simply bad links.
> pf.conf manual(6.1-STABLE)
>      probability <number>
>            A probability attribute can be attached to a rule, with a value set
>            between 0 and 1, bounds not included.  In that case, the rule will
>            be honoured using the given probability value only.  For example,
>            the following rule will drop 20% of incoming ICMP packets:
>                  block in proto icmp probability 20%

thanks :) i didn't realise it could be done this way :)

> > Also, is it definitely possibly to simulate the 'delay' option of dummynet
> > with pf+ALTQ ?
> No, ALTQ cannot delay packets, you have to use dummynet for this.

gotcha, so i may end up using 2 firewalls anyway... :-) I think I may go with
ipfw and dummynet to keep it to one set.... I'll have to read on some
comparisons before making up my mind...

The alternative would be to use netgraph to add this delay... not sure if there
is a ng_delay node ...

thanks for your help,
{Beto|Norberto|Numard} Meijome

Q. How do you make God laugh?
A. Tell him your plans.

I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to