Very Computer

> Hi all,

> My problem is this one: I have a network, which has a relatively slow
> connection out to the world. And due to a lots of ftp traffic, other
> services (like ssh, telnet, vnc..etc) are getting very slow because of high
> ping and packet loss. Therefore, I would like to set priority to packets at
> different ports (for the firewall to handle these packets prior to the other
> ones - like ftp). And this is it. How to create rule for this?
> I have tried sometning like this, but didn't work:

> ipfw pipe 10 config weight 1
> ipfw add pipe 10 udp from any to any 27960-27966

> I don't want to strictly restrict the bandwitch for ftp (to have full use of
> the line for ftp when not using the other services). And even if I'd decide
> to do so (rules for this work fine), I don't know, what ports to restrict
> ( 21 only doesn't work, cause a lot of users download from different ftp
> ports).

> Can anyone be helpful?
> Thanks a lot!

> --
> [:aRVi:]

> ICQ: 56909029

> > Hi all,

> > My problem is this one: I have a network, which has a relatively slow
> > connection out to the world. And due to a lots of ftp traffic, other
> > services (like ssh, telnet, vnc..etc) are getting very slow because of
high
> > ping and packet loss. Therefore, I would like to set priority to packets
at
> > different ports (for the firewall to handle these packets prior to the
other
> > ones - like ftp). And this is it. How to create rule for this?
> > I have tried sometning like this, but didn't work:

> > ipfw pipe 10 config weight 1
> > ipfw add pipe 10 udp from any to any 27960-27966

> > I don't want to strictly restrict the bandwitch for ftp (to have full
use of
> > the line for ftp when not using the other services). And even if I'd
decide
> > to do so (rules for this work fine), I don't know, what ports to
restrict
> > ( 21 only doesn't work, cause a lot of users download from different ftp
> > ports).

> > Can anyone be helpful?
> > Thanks a lot!

> > --
> > [:aRVi:]

> > ICQ: 56909029
> Hey man,
> some poor boy was asking the very same thing a few threads below and
> didn't get any answer :o(. Probably nobody know... Try to look for a
> contact to some of that guys who lectured on Openweekend, which we
> unfortunately missed. Especially Michal Kutnohorsky (freebsd.cz).
> Have a nice day,
> your admin :o)
> V.

> My problem is this one: I have a network, which has a relatively slow
> connection out to the world. And due to a lots of ftp traffic, other
> services (like ssh, telnet, vnc..etc) are getting very slow because of
high
> ping and packet loss. Therefore, I would like to set priority to packets
at
> different ports (for the firewall to handle these packets prior to the
other
> ones - like ftp). And this is it. How to create rule for this?
> I have tried sometning like this, but didn't work:

> ipfw pipe 10 config weight 1
> ipfw add pipe 10 udp from any to any 27960-27966

> I don't want to strictly restrict the bandwitch for ftp (to have full use
of
> the line for ftp when not using the other services). And even if I'd
decide
> to do so (rules for this work fine), I don't know, what ports to restrict
> ( 21 only doesn't work, cause a lot of users download from different ftp
> ports).

> Can anyone be helpful?
> Thanks a lot!

> --
> [:aRVi:]

> ICQ: 56909029

> 1. If you are using pipes, and you need them reinjected into the rules
after
> applying the pipe (recall that with IPFW as soon as it finds a pipe, it
> applies the pipe then skips the rest of the rules) you need to set the
> following sysctl variable (from the man page for IPFW)

> net.inet.ip.fw.one_pass: 1
>      When set, the packet exiting from the dummynet(4) pipe is not
>      passed though the firewall again. Otherwise, after a pipe
>      action, the packet is reinjected into the firewall at the next
>      rule.

> Therefore to set it up you will need something like this in your ruleset :
> (taken from my ruleset)

> #Stuff that needs to be matched before NATD (ie matching via source IP)
> add pipe 1 ip from 10.0.0.3 to any out xmit ed1

> #NATD GOES HERE
> add divert natd all from any to any via ed1

> #Stuff that needs to be matched after NATD (ie destination computers etc)
> add pipe 2 ip from any to 10.0.0.3 in recv ed1

> #Bandwidth pipe configuration stuff.
> pipe 1 config bw 64Kbit/s queue 10Kbytes
> pipe 2 config bw 64Kbit/s queue 10Kbytes

> I would imagine that for a 'per port' bandwidth limit, you'd just do
> something like :

> add pipe X tcp from any to any 21 in recv ed1
> add allow tcp from any to any 21 in recv ed1

> And this would put all that stuff through the pipe. Note you would
probably
> want to put this before the rule allowing that packet through as shown.
Note
> i have no idea if this will work - this is just my interpretation of what
> you want to do, and I don't have the time to test this out :)

> HTH

> > Hi all,

> > My problem is this one: I have a network, which has a relatively slow
> > connection out to the world. And due to a lots of ftp traffic, other
> > services (like ssh, telnet, vnc..etc) are getting very slow because of
> high
> > ping and packet loss. Therefore, I would like to set priority to packets
> at
> > different ports (for the firewall to handle these packets prior to the
> other
> > ones - like ftp). And this is it. How to create rule for this?
> > I have tried sometning like this, but didn't work:

> > ipfw pipe 10 config weight 1
> > ipfw add pipe 10 udp from any to any 27960-27966

> > I don't want to strictly restrict the bandwitch for ftp (to have full
use
> of
> > the line for ftp when not using the other services). And even if I'd
> decide
> > to do so (rules for this work fine), I don't know, what ports to
restrict
> > ( 21 only doesn't work, cause a lot of users download from different ftp
> > ports).

> > Can anyone be helpful?
> > Thanks a lot!

> > --
> > [:aRVi:]

> > ICQ: 56909029