ipfw question

Discussion in 'macOS' started by nagromme, Feb 15, 2007.

  1. nagromme macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #1
    I want to simulate a higher ping for all Internet traffic (without loss of bandwidth), and jsw suggested I look into ipfw. Scary!

    Does anyone know whether entering the following in Terminal would work, adding 80 ms to all traffic?

    Code:
    ipfw pipe 1 config delay 80
    ipfw add pipe 1 tcp from any to any
    ipfw add pipe 1 udp from any to any

    And then would the following bring my Mac COMPLETELY back to the previous state, including leaving my System Prefs firewall settings intact?

    Code:
    ipfw flush
    (And do any of those need sudo in front?)

    I'm not a command-line expert, and don't want to destabilize my Mac or screw anything up. I just want a reversible "fake lag" that would affect all games and apps. Thanks for any advice or warnings!

    (Apple docs here)
     
  2. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #2
    You will need to use sudo to add or remove any ipfw rules. If you want to simulate an average latency increase of 80ms over what you normally experience, the following rules will work:

    (1) sudo ifpw pipe 1 configure delay 80
    (2) sudo ipfw add 10 pipe 1 ip from any to any

    This will transfer packets to the pipe early on in the ipfw ruleset. By default configuration, packets that are sent to a pipe or queue for traffic shaping do not re-enter the firewall ruleset. If you have other firewall rules that you still want to apply to the shaped packets, you need to unset a sysctl flag:

    (3) sudo sysctl -w net.inet.ip.fw.one_pass=0

    You can also control the piping per interface. If you have two interfaces, such as on a MacBook, you can choose the one that will have the simulated latency. Normally, the interface en0 is for built-in ethernet, and the interface en1 is for an Airport card.

    Replace command (2) from above with:

    (4) sudo ipfw add 10 pipe 1 ip from any to any via en1

    To send only packets going through Airport to the traffic shaper.
     
  3. nagromme thread starter macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #3
    Thanks!

    Does your step (3) mention of "other rules" apply to stuff I have done with System Preferences? Or only to other command-line stuff I've done? (Which is... nothing :) ) How much does this interfere with System Preferences firewall settings?

    And when I want to turn this off and go back to normal... sudo ipfw flush will do the trick?
     
  4. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #4
    There is only one firewall included with Mac OS X. Both ipfw and the System Preferences are interfaces to control the same firewall.
     
  5. nagromme thread starter macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #5
    Got it. So are the ipfw command line settings at odds with the ones in System Preferences, or will the two sets of settings co-exist nicely? (And will flush delete my current firewall System Prefs and set them back to defaults?)

    Basically I want to be sure nothing I do here has any effect on System Preferences, nor any effect on my system at all once I "turn it off" after gaming.
     
  6. ElectricSheep macrumors 6502

    ElectricSheep

    Joined:
    Feb 18, 2004
    Location:
    Wilmington, DE
    #6
    Flush will flush everything and leave the firewall in a completely open state. If you open up System Preferences, it will show the firewall as being 'stopped'.

    You can always check to see what rules are in place before adding new ones with sudo ipfw show. Rules are applied in order by their number, from lowest to highest. So, if you add rules with a low number, they will be evaluated first. If you add them with a high number, they will be evaluated last.
     
  7. nagromme thread starter macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #7
    I see--thanks.

    The ipfw thing may be more involved that it's worth for my purposes, but definitely a good option to have in my arsenal!
     
  8. jsw Moderator emeritus

    jsw

    Joined:
    Mar 16, 2004
    Location:
    Andover, MA
    #8
    While I'm not sure exactly which steps you'd use, ipfw can use different sets of rules, which can be independently turned on or off. You can add the delay rules to one set, then turn it off when you want.

    Others can advise you better on how to do so. :) But I think it'd be easy to turn on/off once set up.
     

Share This Page