[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[altq 205] Re: ALTQ and IPFILTER

To: altq@csl.sony.co.jp
Subject: [altq 205] Re: ALTQ and IPFILTER
From: Karl Pielorz <kpielorz@tdx.co.uk>
Date: Fri, 12 Nov 1999 09:32:09 +0000
Organization: TDX - The Digital eXchange
References: <382B7DBD.E10826AD@fil.net>
Reply-To: altq@csl.sony.co.jp
Sender: owner-altq@csl.sony.co.jp

"aLan @ FIL.NET" wrote:
> 
> I am just now learning about ALTQ and IPFILTER (and
> FreeBSD 3.3!).
> 
> I'm on an island in the Philippines, and I need a way to
> simple firewall against outside attacks and for inside
> redirection of port 80 to a transparent proxy - IPFILTER?
> 
> I also need a way to control the bandwidth.  I have a
> 128Kbps on a microwave station to another Island.  I want to
> divide it into 2K chucks, but dummynet limits the max.
> bandwidth.

Hmmm... 2k is not a lot of bandwidth... AltQ is good, but it's probably going
to have a hard time chopping the traffic into 2k blocks, remember if your MTU
is 1500 (standard for ethernet), a single packet is going to use nearly all
the quota for that queue/pipe, but you don't know until you try...

> Can I put both of these (IPFILTER AND ALTQ) in one box with
> two nics between my router and the hub?

re: Dual NIC's, this is the config we run on our FBSD box. It has one
connected via cross-over cable to our trusty Cisco router, the other goes off
to a hub...

re: IPFILTER - Not too sure, we run ipfw on our box - I think for the most,
AltQ is pretty 'transparent'... I seem to remember we had AltQ + Transproxy on
a box here for a while with no ill effect...

> Can you give me a shove in the right direction on how to
> configure ALTQ?  i.e. What (where) are the most basic docs I
> need to read for what I want to do?

There's lots of documents, sample configs etc. in with the source...

> Has anyone written a FreeBSD port for this to make it a bit
> easier for us who are new?

It's not hard to install at the moment! :-) - Unzip the sources, follow the
instructions in INSTALL, and away you go...

I seem to remember suggesting a while ago to the FreeBSD lists a port that
would change kernel source, and it got (rather understandably) a unanimous
thumbs down :)

> If I can't put IPFILTER and ALTQ in one box, can I put them
> in two in series.  If yes, which should I put closer to the
> router?  Or is there a better way to do what I want to do?

I can't see too much of a problem with one box (but I've not done it). If your
using 2 boxes, AltQ should go as near to the bottleneck (router) as
possible...

> PS will the fact that all port 80 requests are redirected to
> the proxy make a difference - I want them to have free
> access to the proxy, but limit the proxy to 2K per chuck
> (some IP Address will get 1,2,3,or4 chunks - 2, 4, 6, or 8
> Kbps).  The 2K is the minimum to the out side.

Should be OK... You'll need to carefully create your filter rules, but it's
certainly doable... A similar set-up we had here (with AltQ, Squid and IPFW)
let's local users have 10Mbit to the proxy, but limits external traffic (with
another AltQ rule limiting the rate at which the proxy could fetch pages).

Hope the above helps, or at least points in the right direction :)

-Karl

References:
- [altq 204] ALTQ and IPFILTER
  - From: "aLan @ FIL.NET" <filnet@fil.net>

Prev by Date: [altq 204] ALTQ and IPFILTER
Next by Date: [altq 206] Re: ALTQ and IPFILTER
Prev by thread: [altq 204] ALTQ and IPFILTER
Next by thread: [altq 206] Re: ALTQ and IPFILTER
Index(es):
- Date
- Thread