IPFW bandwidth configuration with ipfw

Hi all,

I want to limit the bandwidth between two applications using ipfw(8). Is it possible? for example if app1 is using port 5000 on 192.168.10.140 and app2 is using port 6000 on 192.168.10.150, then for limiting the bandwidth between them to 10Mbps I use below rules on 192.168.10.140:

sudo ipfw add 100 pipe 1 udp from 192.168.10.140 to 192.168.10.150 src-port 5000 dst-port 6000 out
sudo ipfw pipe 1 config bw 10Mbps

There are other network applications on these two machines and there is traffic between them, but I want to limit only the bandwidth between app1 and app2. Is it possible?

Thanks much in advance for your help.
 
When you say app1 is using port 5000 and app2 is using port 6000, are these definitely source and destination ports respectively? Or is it that app1 is listening on port 5000 (destination port on 192.168.10.140) and app2 is listening on port 6000 (destination port on 192.168.10.150).

I ask because it is common for source ports to be randomly selected at the time of connection, with only destination ports consistently specified. This would change your pipe rules... instead of specifying a src-port, you would need 2 lines (one for traffic in each direction):
sudo ipfw add 100 pipe 1 udp from 192.168.10.140 to 192.168.10.150 6000
sudo ipfw add 110 pipe 1 udp from 192.168.10.150 to 192.168.10.140 5000
sudo ipfw pipe 1 config bw 10Mbps
 
Thanks much for your reply. Actually there is a two-way communication between app1 and app2, so sometimes app1 is the source and sometimes app2. The link between them should have 10Mbps bandwidth. For each communication both source and destination are specified. Because I use DatagramSocket with specific source IP and port and also DatagramPacket with specific destination IP and port (in java). In this situation is it sufficient to use your 3 lines configuration?
 
Great - if you have specified it in the code, it will be easy to write firewall rules for it. To allow us to check, can you please tell us what the source IP, source port, destination IP and destination port is for every possible communication in either direction?
 
Please consider these two addresses 192.168.10.140:5000 and 192.168.10.150:6000. Both of them can be source or destination.
 
In that case the rules I wrote above should work. They don't filter on source port, only source IP, destination IP, and destination port. However, that should be enough to capture all of the traffic based on your description, and not unrelated traffic (the destination ports are unique enough to exclude other traffic).
 
The problem is that I have more than one two-way communication. There are 6 applications running on below source addresses:
192.168.10.140:6000
192.168.10.140:6001
192.168.10.140:6002
192.168.10.150:6003
192.168.10.150:6004
192.168.10.150:6005
Each application has communication with others( sends udp packets to others). I want to limit the bandwidth between each pair. for example the bandwidth on below links:
192.168.10.140:6000 <-> 192.168.10.140:6001
192.168.10.140:6001 <-> 192.168.10.140:6002
192.168.10.140:6002 <-> 192.168.10.150:6003
192.168.10.150:6003 <-> 192.168.10.150:6004
192.168.10.150:6003 <-> 192.168.10.140:6001

Is it possible?
 
Well, you could obviously add multiple lines, one for each possible combination of traffic. To make your life easier, source or destination ports can be specified as ranges. This allows you to stick with 3 lines:
sudo ipfw add 100 pipe 1 udp from 192.168.10.140 to 192.168.10.150 6003-6005
sudo ipfw add 110 pipe 1 udp from 192.168.10.150 to 192.168.10.140 6000-6002
sudo ipfw pipe 1 config bw 10Mbps


This still limits all of them together to a total of 10Mbps. You would need separate pipes if you want each different combination to individually have 10Mbps available.

Again, these rules filter on destination ports only. However, you specified those ports as source ports. I am curious what happened to the original source port 5000 from your first post?
 
Back
Top