I'm just reading through documentation on the FreeBSD dummynet that m0n0wall
uses for its traffic shaper so I can get a better understanding of its use
(in general, and in m0n0wall in particular) and I have a few questions, some
of which have been asked before in the users list, and some of which I can't
find in my email archive here.
1. I have 4 pipes and 4 queues (one disabled) defined in the m0n0wall
Traffic Shaper in my test setup. The configuration, although silly (in
hindsight) works as intended and before I change it to something a lot more
sensible, I decided to have a look at the ipfw output from the settings as
$ ipfw list
50000 allow ip from 192.168.69.254 to any
50001 allow ip from any to 192.168.69.254
50002 queue 2 ip from 192.168.69.175 to any out via ng0
50003 queue 3 ip from any to 192.168.69.0/24 out via sis0
50004 queue 4 ip from 192.168.69.0/24 to any out via ng0
65535 allow ip from any to any
Now, with my current Traffic Shaper settings, this all corresponds,
except for the fact that there are none of my Pipes shown in the ipfw
listing, nor are any queues referring the Pipes.
Can anyone explain these things? Do Pipes *only* show up in the "ipfw
pipes show" command?
2. Will there be an "Advanced" or similar option for the "mask" employed in
the future? The dummynet "mask" is a very powerful part of the whole
traffic shaping functionality, and this has been seriously limited in the
m0n0wall interface. I really like the "source" and "destination" settings -
they make it easy for applying simple masking - but they also limit the
masking functionality for those who'd like to make more use of the power
this feature offers. This could be achieved by adding another entry to the
"mask" dropdown, allowing "advanced" and having the user choose checkboxes
for the "mask" properties (i.e. proto, src-ip, dst-ip, src-port, dst-port),
and then enter the required values in text fields next to these checkboxes.
One idea, anyway
3. The order of the tabs seems illogical to me. Rules generally apply to
queues that generally feed into pipes. The current tab order of Rules,
Pipes, Queues doesn't follow this logic - I think that last two tabs need to
4. Would there be any interest in a 4th tab - Advanced - where the
administrator can configure the more advanced functionality of dummynet?
There are a number of parameters that can be altered to tune dummynet
performance on your machine, such as sysctl net.inet.ip.fw.one_pass, but the
general user will probably be happy to leave these at their default values.
I'm sure that users of Soekris boxes and other systems with limited
resources would welcome these advanced additions. I'd sure like to be able
to process traffic not only by IP, but also by protocol after it is shaped
by IP. Would be really nice, that!
5. The ability to set the queue size on individual Pipes would be rather
handy for those people on slowish links. As the default is ideal for
Ethernet connections, and as few of us have a 10 mbps or faster link to the
Internet, being able to manually change the queue size on all created Pipes
would be a rather nice feature. This would be especially useful for those
of us on slower ADSL links such as 512/128 kbps or 256/64 kbps.
6. Adding the "plr" field would be a great feature - it would enable all
users worldwide to feel like they are on the Telstra broadband network. A
similar effect could be achieved by randomly blocking all outbound traffic
to any:25/TCP and any:110/TCP. :)
7. Scheduled rules. For home users in particular, it would be really nice
to be able to have rules automatically enabled/disabled according to a given
schedule - for example, the SOHO PCs get more highly weighted during
business hours, and the home/game machines get more heavily weighted after
hours. This could be used for general firewall rules as well, not just
traffic shaping rules.
8. Aliases - is there any chance that these can be shown in a dropdown?
This would make it significantly easier, as the aliases are case sensitive,
and sometimes with a long list of aliases it can be hard to remember all the
aliases in the list. Of course, being able to also type into this box would
9. Aliases revisited. It would also be really nice to be able to configure
port ranges as an alias to enhance the list that m0n0wall provides by
default (ftp, ssh, telnet, smtp, dns, http, pop3, imap, https). This could
be done in a second tab, and would allow people to configure their own
aliases such as rdp (3189), 2k3rdp (4125), vnc (5900), pcanyone (5631-5632),
and so on.
10. MAC filtering is possible in ipfw, but not implemented in m0n0wall.
This could also be as option that many users could find useful - especially
those who wish to shape a particular user that they don't have much other
control over, such as students and so on.
11. Enable/Disable - in the Traffic Shaper, Firewall and maybe even NAT
sections, it would be *really* nice to have the enable/disable checkbox on
the list, not on the individual "edit" pages. This would allow much easier
editing of these rules, and would quite probably make life much easier for
the "scheduled rules" people, especially if someone's writing code to make
Hilton Travis Phone: +61-(0)7-3343-3889
Manager, Quark AudioVisual Phone: +61-(0)419-792-394
Quark Computers http://www.QuarkAV.com/
(Brisbane, Australia) http://www.QuarkAV.net/
Open Source Projects: http://www.ares-desktop.org/
Non Linear Video Editing Solutions & Digital Audio Workstations Network
Administration, SmoothWall Firewalls, NOD32 AntiVirus
Conference and Seminar AudioVisual Production and Recording
War doesn't determine who is right. War determines who is left.