download

Chapter 12The pipe configuration can be verified later using the ipfw pipe show command:# ipfw pipe show00001: 512.000 Kbit/s 10 ms 50 sl.plr 0.010000 0 queues (1 buckets)droptail00002: 256.000 Kbit/s = 10 ms 50 sl. 0 queues (1 buckets) droptailPossible configuration parameters for pipes are listed in the following table:ParameterbwdelayplrqueueDescriptionIndicates bandwidth limit in kbps, mbps, or their equivalents, to givennetwork device name.Indicates propagation delay in milliseconds.(Packet Loss Rate) A floating-point number between 0 and 1 that causespackets to be randomly dropped, simulating an unstable network link.Specifies the size of each pipe's queue. A queue holds packets beforeforwarding them. If a queue has no space left for more packets, it startsdropping packets.Packet Filtering with PFCompared to IPFW, that has been in FreeBSD for a long time, PF is a newcomer.It was imported from the OpenBSD project, in 2003 as a third-party software andfound its way to the base system in 2004. Since then, PF has been a very popular anda powerful firewall package that many FreeBSD users prefer to use.PF is not statically linked to the GENERIC kernel, and should be enabled eitherby loading the kernel module dynamically, or by statically linking it into acustomized kernel.In order to create a new kernel with PF support, you should add at least one line toyour kernel configuration file, recompile it, and install the new kernel:devicepfYou should then enable PF in the rc.conf file by adding the following line:pf_enable-="YES"PF kernel module will be automatically loaded if it is not staticallycompiled into the kernel. You can choose to use either the in-kernel or thedynamic module.By default, PF reads its configuration from the /etc/pf.conf file. So make sure thatthe file exists before you can make PF start automatically on system startup.[ 193 ]