wed, 08-oct-2008, 17:51


os x firewall tool

One of the more annoying things about Apple’s wireless routers is that there’s no way to shape the bandwidth. With two of us in the house, commonly using the Internet at the same time, and a limited 43 KB/s bandwidth, we wind up stepping on each other’s use fairly often. One bandwidth limiting tool is the Unix command trickle which allows you to control bandwidth on individual, command line programs. Something like:

    trickle -u 20 -d 20 wget
would limit the file download to 20 KB/second, about half our our bandwidth. Many commands like wget and rsync have bandwidth limiting built in, making trickle unnecessary for those programs.

These techniques don’t work when the programs don’t include limiting internally, and when you can’t run them from the command line. The program I use to download music from eMusic (eMusicJ) is an example. With my downloads refreshing in a couple days, I wanted to find a way to get my downloads in, without ruining the network for the next day and a half.

Since OS X is built on BSD, it comes with a super-sophisticated firewall, ipfw, that has traffic shaping built in. So here’s how I was able to consume only half of our bandwidth downloading music:

Start the download and use netstat -an to find the IP address of the download site (or do netstat -an before and after you’ve started the download to identify the new download IP Address):

    $ netstat -an | less
    Active Internet connections (including servers)
    Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
    tcp4       0      0        ESTABLISHED
    tcp4       0      0        ESTABLISHED
    tcp4       0      0        ESTABLISHED
    tcp4       0      0        ESTABLISHED

Set up a pipe for data coming from that site:

    $ sudo ipfw add pipe 10 ip from to any
    00100 pipe 10 ip from to any

Configure the pipe to limit bandwidth:

    $ sudo ipfw pipe 10 config bw 20KBytes/s queue 10KBytes

After you're done, delete the pipe:

    $ sudo ipfw list
    00100 pipe 10 ip from to any
    65535 allow ip from any to any

    $ sudo ipfw del 00100
Meta Photolog Archives