download

Network Configuration—FirewallsKeywordlogdeny_insame_portunreg_onlyresetreverseproxy_onlyDescriptionEnables syslog logging for the NAT instance.Denies all incoming connections.Does not translate port numbers but keeps the same port number on thealias IP address.Performs translation only on RFC 1719 (unregistered) addresses.Resets NAT translation table, when the IP address on the interfacechanges.Reverses NAT (swap inside and outside).Does not actually translate packets. Is used for transparent proxying.Traffic ShapingBasically, IPFW supports traffic shaping, with dummynet(4) pipes and queues , usingWFQ2+ algorithm. In fact, IPFW is the user interface to dummynet(4) traffic shaperframework. In order to shape (or limit) traffic flow, the flow should be passed fromtwo objects—a pipe and a queue.A pipe is basically a virtual path that emulates a connection with a specifiedbandwidth, propagation delay, and packet loss pattern. On the other hand, a queueis actually a buffer object to enforce the WFQ2+ queuing strategy on the traffic.Using IPFW's traffic shaping facilities, you can define pipes with specific bandwidth,packet-loss rate, propagation delay, and assign a queue with specific size to the pipe.For example, here we can create two pipes, each of them with different behavior:pipe 1 config bw 512kbps delay 10 plr 0.01pipe 2 config bw 256kbps delay 10This will simply configure the first pipe to limit matching traffic to 512kbps with10ms propagation delay, and one percent packet-loss. It also configures the secondpipe to limit matching traffic to 256kbps, with 10 milliseconds propagation delay,and no packet-loss rate configured.Pipes are ineffective unless they are assigned to policies. So here we've assignedthem with traffic-matching policies:add pipe 1 ip from any to any in via xl0add pipe 2 ip from any to any out via xl0This will assign rules to pipes. The first pipe matches all incoming IP traffic on interfacexl0, and the second pipe matches all outgoing IP traffic on interface xl0.[ 192 ]