Tamar Lea wrote:
Hello all,
I have inherited the job of maintaining a FreeBSD firewall that sits behind
an ADSL line that connects 128 clients to the internet. I have not used
FreeBSD before but have some linux experience. The connections must be
always on though I am allowed to reboot if absolutely necessary. It is using
ipfilter and ipnat. There have been issues with clients taking up too much
bandwidth, so after several hours of careful testing I managed to redirect
all traffic on port 80 to a squid service using ipnat. This uses delay pools
to limit the max speed per user. However I would also like to limit the max
speed per user for streaming traffic on port 1935. Would this be possible
with the current setup and what programs or config would be able to do the
Hmmm... out of the three possible choices for firewall implementations under
FreeBSD you have ended up with probably the least capable one. ipfilter's
unique selling point is that it is available on a large number of different
systems. In this case I don't think that really counts for much.
The other two alternatives -- together with their associated QoS / traffic
shaping technologies are:
ipfw + dummynet
This is a FreeBSD specific firewall implementation. It's a first
match wins type ruleset which provides all the usual functionality:
NAT, stateful filtering etc. It can be a bit tricky to manage on
a live system as remote updates to the ruleset have an unfortunate
tendency to lock you out of the system.
pf + altq
This is the new and shiny firewall system ported from OpenBSD.
It's a last match wins type ruleset, modified by 'quick' (immediately
applied) rules (similar to ipf), so more flexible than ipfw. The
configuration file is also a lot more readable than ipfw IMHO. You will
need to build a custom kernel to make use of ALTQ functionality as for
some reason that cannot be provided by a loadable kernel module like the
rest of pf(4). This would be my personal preference for solving the
problem you describe.
Either of these two should serve you well and allow you to do the required
traffic shaping. Note: while it is technically possible to run more than
one of the three firewall packages at once; that way madness lies, particularly
for fledgeling administrators. It might be worth it for a short time if you
really, absolutely, no alternative, have to do a zero-downtime cut-over, but
the risks of something going wrong are significant. A quick restart with new
software is hardly any more intrusive and a lot safer.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
