とりあえず、man dummynet とかするのが一番最初。
kernel ソースの LINT を見ると、こう書いてあった。

# DUMMYNET enables the "dummynet" bandwidth limiter. You need

# IPFIREWALL as well. See the dummynet(4) and ipfw(8) manpages for more info.

# When you run DUMMYNET it is advisable to also have "options HZ=1000"

# to achieve a smoother scheduling of the traffic.

#

# BRIDGE enables bridging between ethernet cards -- see bridge(4).

# You can use IPFIREWALL and DUMMYNET together with bridging.

#

options         DUMMYNET

options         BRIDGE

#

# Internet family options:

#

# MROUTING enables the kernel multicast packet forwarder, which works

# with mrouted(8).

#

# PIM enables Protocol Independent Multicast in the kernel.

# Requires MROUTING enabled.

#

# IPFIREWALL enables support for IP firewall construction, in

# conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE sends

# logged packets to the system logger.  IPFIREWALL_VERBOSE_LIMIT

# limits the number of times a matching entry can be logged.

#

# WARNING:  IPFIREWALL defaults to a policy of "deny ip from any to any"

# and if you do not add other rules during startup to allow access,

# YOU WILL LOCK YOURSELF OUT.  It is suggested that you set firewall_type=open

# in /etc/rc.conf when first enabling this feature, then refining the

# firewall rules in /etc/rc.firewall after you've tested that the new kernel

# feature works properly.

#

# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to

# allow everything.  Use with care, if a cracker can crash your

# firewall machine, they can get to your protected machines.  However,

# if you are using it as an as-needed filter for specific problems as

# they arise, then this may be for you.  Changing the default to 'allow'

# means that you won't get stuck if the kernel and /sbin/ipfw binary get

# out of sync.

#

# IPDIVERT enables the divert IP sockets, used by ``ipfw divert''

#

# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding

# packets without touching the ttl).  This can be useful to hide firewalls

# from traceroute and similar tools.

#

# TCPDEBUG is undocumented.

#

options         MROUTING                # Multicast routing

options         PIM                     # Protocol Independent Multicast

options         IPFIREWALL              #firewall

options         IPFIREWALL_VERBOSE      #enable logging to syslogd(8)

options         IPFIREWALL_FORWARD      #enable transparent proxy support

options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity

options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default

options         IPV6FIREWALL            #firewall for IPv6

options         IPV6FIREWALL_VERBOSE

options         IPV6FIREWALL_VERBOSE_LIMIT=100

options         IPV6FIREWALL_DEFAULT_TO_ACCEPT

options         IPDIVERT                #divert sockets

options         IPFILTER                #ipfilter support

options         IPFILTER_LOG            #ipfilter logging

options         IPFILTER_DEFAULT_BLOCK  #block all packets by default

options         IPSTEALTH               #support for stealth forwarding

options         TCPDEBUG