# incorrect operation dummynet? or my hands are crooked?



## bahan (Mar 9, 2010)

Hello everybody. Sorry for my bad English. Please'll show how you can limit the speed not only on ip but also on the port (eg, 80, 8080, 6000, etc.)? I use  FreeBSD 6.4 i386. In kernel ipfw is default to deny. Previously there were no these lines

```
${FwCMD} add pipe 10 src-port 80-29000
${FwCMD} add pipe 15 dst-port 80-29000
${FwCMD} add pipe 20 src-port 80-29000
${FwCMD} add pipe 25 dst-port 80-29000
${FwCMD} add pipe 30 src-port 80-29000
${FwCMD} add pipe 35 dst-port 80-29000
${FwCMD} add pipe 40 src-port 80-29000
${FwCMD} add pipe 45 dst-port 80-29000
${FwCMD} add pipe 50 src-port 80-29000
${FwCMD} add pipe 55 dst-port 80-29000
${FwCMD} add pipe 70 src-port 80-29000
${FwCMD} add pipe 75 dst-port 80-29000
```
But the speed is not limited for the P2P traffic and game traffc. Speed is only limited for WEB traffic. When I added this lines, speed limited for all trafic, but after a while the speed on all pipe falls, but in this time the internet channel is empty. DDOS attacks where no.
Below is my config of ipfw.

```
#!/bin/sh

FwCMD="/sbin/ipfw -q"

LanOut="em0"
NetOut="xxx.xxx.xxx.xxx"
IpOut="xxx.xxx.xxx.xxx"

LanIn="em1"
NetIn="10.0.0.0/8"


${FwCMD} -f flush
${FwCMD} -f pipe flush
${FwCMD} -f queue flush

${FwCMD} add check-state

#pipe
${FwCMD} add 100 allow ip from any to any via lo0
${FwCMD} add 101 deny ip from any to 127.0.0.1/8
${FwCMD} add 102 deny ip from 127.0.0.1/8 to any
${FwCMD} add 103 deny ip from table\(40\) to any
${FwCMD} add 104 deny ip from any to table\(40\)
${FwCMD} add 105 deny tcp from table\(40\) to any
${FwCMD} add 106 deny tcp from any to table\(40\)
${FwCMD} add 107 deny udp from table\(40\) to any
${FwCMD} add 108 deny udp from any to table\(40\)
${FwCMD} add 110 deny all from 10.0.0.0/8 to any in via em0
${FwCMD} add 111 divert natd all from any to any via em0
${FwCMD} add 112 deny log ip from any to me 3306
${FwCMD} add 113 deny log tcp from any to me 3306
${FwCMD} add 114 deny log udp from any to me 3306
${FwCMD} add 200 tee 7223 ip from any to any via em0
${FwCMD} add 201 reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
${FwCMD} add 202 reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
${FwCMD} add 203 reject log tcp from any to any not established tcpflags fin
${FwCMD} add 204 deny log ip from any to any not verrevpath in

#${FwCMD} pipe 70 config mask src-ip 0xffffffff bw 2048000bit/s
#${FwCMD} pipe 75 config mask dst-ip 0xffffffff bw 2048000bit/s
#${FwCMD} add pipe 70 all from table\(30\) to any in
#${FwCMD} add pipe 75 all from any to table\(30\) out
#${FwCMD} add allow all from table\(30\) to any
#${FwCMD} add allow all from any to table\(30\)

#${FwCMD} add 449 deny all from any 139 to me in via em0

${FwCMD} add 450 allow ip from me to 10.0.0.0/8
${FwCMD} add 550 allow ip from 10.0.0.0/8 to me
#########################################################################################################################################
#DNS
${FwCMD} add 560 allow udp from any 53, 123 to any
${FwCMD} add 570 allow udp from any to any 53, 123


${FwCMD} add 650 allow icmp from any to any
${FwCMD} add 710 allow icmp from any to any

#${FwCMD} add 650 allow tcp from any 3928, 19001, 19093 to any
#${FwCMD} add 651 allow tcp from any to any 3928, 19001, 19093
#${FwCMD} add 652 allow udp from any 3928, 2900 to any
#${FwCMD} add 653 allow udp from any to any 3928
#${FwCMD} add 654 allow udp from any 5023 to any
#${FwCMD} add 655 allow tcp from any 5023 to any
#${FwCMD} add 656 allow udp from any to any 5023
#${FwCMD} add 656 allow tcp from any to any 5023
#All protocols

${FwCMD} add 750 allow tcp from any to me in via em0
${FwCMD} add 810 allow tcp from me to any out via em0
${FwCMD} add 3026 pass all from any 3908 to any

########################################################################
#64Kbit/s
${FwCMD} pipe 10 config mask src-ip 0xffffffff bw 64Kbit/s queue 10Kbytes
${FwCMD} pipe 15 config mask dst-ip 0xffffffff bw 64Kbit/s queue 10Kbytes
${FwCMD} add pipe 10 all from table\(10\) to any in
${FwCMD} add pipe 15 all from any to table\(10\) out
${FwCMD} add allow tcp from table\(10\) to any
${FwCMD} add allow tcp from any to table\(10\)
${FwCMD} add allow udp from table\(10\) to any
${FwCMD} add allow udp from any to table\(10\)

#128Kbit/s
${FwCMD} pipe 20 config mask src-ip 0xffffffff bw 128Kbit/s queue 20Kbytes
${FwCMD} pipe 25 config mask dst-ip 0xffffffff bw 128Kbit/s queue 20Kbytes
${FwCMD} add pipe 20 all from table\(12\) to any in
${FwCMD} add pipe 25 all from any to table\(12\) out
${FwCMD} add allow tcp from table\(12\) to any
${FwCMD} add allow tcp from any to table\(12\)
${FwCMD} add allow udp from table\(12\) to any
${FwCMD} add allow udp from any to table\(12\)

#256Kbit/s
${FwCMD} pipe 30 config mask src-ip 0xffffffff bw 256Kbit/s queue 20Kbytes
${FwCMD} pipe 35 config mask dst-ip 0xffffffff bw 256Kbit/s queue 20Kbytes
${FwCMD} add pipe 30 all from table\(14\) to any in
${FwCMD} add pipe 35 all from any to table\(14\) out
${FwCMD} add allow tcp from table\(14\) to any
${FwCMD} add allow tcp from any to table\(14\)
${FwCMD} add allow udp from table\(14\) to any
${FwCMD} add allow udp from any to table\(14\)

#512Kbit/s
${FwCMD} pipe 40 config mask src-ip 0xffffffff bw 512Kbit/s queue 20Kbytes
${FwCMD} pipe 45 config mask dst-ip 0xffffffff bw 512Kbit/s queue 20Kbytes
${FwCMD} add pipe 40 all from table\(16\) to any in
${FwCMD} add pipe 45 all from any to table\(16\) out
${FwCMD} add allow tcp from table\(16\) to any
${FwCMD} add allow tcp from any to table\(16\)
${FwCMD} add allow udp from table\(16\) to any
${FwCMD} add allow udp from any to table\(16\)

#1024Kbit/s
${FwCMD} pipe 50 config mask src-ip 0xffffffff bw 1024Kbit/s queue 20Kbytes
${FwCMD} pipe 55 config mask dst-ip 0xffffffff bw 1024Kbit/s queue 20Kbytes
${FwCMD} add pipe 50 all from table\(18\) to any in
${FwCMD} add pipe 55 all from any to table\(18\) out
${FwCMD} add allow tcp from table\(18\) to any
${FwCMD} add allow tcp from any to table\(18\)
${FwCMD} add allow udp from table\(18\) to any
${FwCMD} add allow udp from any to table\(18\)

#2048Kbit/s
${FwCMD} pipe 70 config mask src-ip 0xffffffff bw 2Mbit/s queue 20Kbytes
${FwCMD} pipe 75 config mask dst-ip 0xffffffff bw 2Mbit/s queue 20Kbytes
${FwCMD} add pipe 70 all from table\(25\) to any in
${FwCMD} add pipe 75 all from any to table\(25\) out
${FwCMD} add allow tcp from table\(25\) to any
${FwCMD} add allow tcp from any to table\(25\)
${FwCMD} add allow udp from table\(25\) to any
${FwCMD} add allow udp from any to table\(25\)

########################################################################
${FwCMD} add pipe 10 src-port 80-29000
${FwCMD} add pipe 15 dst-port 80-29000
${FwCMD} add pipe 20 src-port 80-29000
${FwCMD} add pipe 25 dst-port 80-29000
${FwCMD} add pipe 30 src-port 80-29000
${FwCMD} add pipe 35 dst-port 80-29000
${FwCMD} add pipe 40 src-port 80-29000
${FwCMD} add pipe 45 dst-port 80-29000
${FwCMD} add pipe 50 src-port 80-29000
${FwCMD} add pipe 55 dst-port 80-29000
${FwCMD} add pipe 70 src-port 80-29000
${FwCMD} add pipe 75 dst-port 80-29000
########################################################################
${FwCMD} add 7920 pass udp from any 80-29999 to any
${FwCMD} add 7921 pass udp from any to any 80-29999
${FwCMD} add 7922 pass tcp from any 80-29999 to any
${FwCMD} add 7923 pass tcp from any to any 80-29999
########################################################################
${FwCMD} add 7924 pass tcp from any to me 22 in via em1
${FwCMD} add 7925 pass tcp from me 22 to any out via em1
${FwCMD} add deny all from any to any via em0
${FwCMD} add deny log ip from any to any
```

Please say, what is wrong? And maybe I did not correctly write the rules?


----------

