View Single Post
  #5   (View Single Post)  
Old 13th August 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

"in" and "out" refer to whether the packet is entering an interface (coming from outside the box, receiving) or leaving the interface (sending).

All packets that go through a router/firewall will come "in" on one interface, and go "out" on another.

All packets that originate on the firewall and are being sent to another system, will go "out" an interface.

All packets destined for the firewall (originated on another system) will go "in" an interface.

Thus, all your rules should specify which direction the traffic is going, and which interface it is using.

If you want to bandwidth limit traffic going through the firewall, the rules would be similar to (where nfe0 is the external, public facing interface):
Code:
${fwcmd} pipe 15 config bw 256Kbit/s
${fwcmd} pipe 16 config bw 85Kbit/s
${fwcmd} add 515 pipe 15 all from any to 192.168.2.10 in recv nfe0
${fwcmd} add 516 pipe 16 all from 192.168.2.10 to any out xmit nfe0
You should only bandwidth limit on the external, public interface. That way, the firewall can queue up packets in RAM before sending. If you limit on the internal, private interface, strange things can happen (especially since you say you don't want to limit traffic to/from the firewall itself).

Does that clear things up a bit?
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote