From owner-freebsd-ipfw Thu Jul 26 9:57:16 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from adetel.net (mercurio.adetel.net.mx [148.245.223.225]) by hub.freebsd.org (Postfix) with ESMTP id 8123C37B407 for ; Thu, 26 Jul 2001 09:57:13 -0700 (PDT) (envelope-from edgar@adetel.net) Received: from adetel.net (adrastea.adetel.net [200.56.245.102]) by adetel.net (8.9.2/8.9.2) with ESMTP id LAA30313 for ; Thu, 26 Jul 2001 11:57:34 -0500 (CDT) (envelope-from edgar@adetel.net) Message-ID: <3B604C13.92E17527@adetel.net> Date: Thu, 26 Jul 2001 11:57:55 -0500 From: Edgar Garcia Luna Reply-To: edgar@adetel.net Organization: Adetel S.A. de C.V. X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: Dummynet Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello !! I hope can help me. I have FreeBSD 4.2-RELEASE, kernel is compiled to load Dummynet, with the following options in the kernel. options NMBCLUSTERS=9000 options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT options IPFIREWALL_DEFAULT_TO_ACCEPT options DUMMYNET options HZ=1000 This server works as Gateway and I want to limit the bandwidth of the machines that use this Gateway. in / etc/rc.conf I put gateway_enable="YES" and the rules are: ipfw add pipe 1 ip from A to any via xl1 out ipfw add pipe 2 ip from any to A via xl1 in ipfw pipe 1 config bw 64Kbit/s ipfw pipe 2 config bw 64Kbit/s The question is. If I do ping from the machine A, it simulates the restriction of the bandwidth OK. But if I do ping to him (to the machine A), it does not simulate the restriction of the bandwidth. Where is the error? Thank you very much. -- Edgar García Luna Adetel S.A de C.V. Tel. 5480 9878 edgar@adetel.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 26 15:37: 5 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id D1A2B37B403 for ; Thu, 26 Jul 2001 15:37:01 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id AAA13857; Fri, 27 Jul 2001 00:30:32 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200107262230.AAA13857@info.iet.unipi.it> Subject: Re: Dummynet In-Reply-To: <3B604C13.92E17527@adetel.net> from Edgar Garcia Luna at "Jul 26, 2001 11:57:55 am" To: edgar@adetel.net Date: Fri, 27 Jul 2001 00:30:32 +0200 (CEST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, A to A goes through the loopback interface so not xl1. If you want this behaviour use the following rules ipfw add pipe 1 ip from A to any in ipfw add pipe 2 ip from any to A out (and this way remember you'll have local traffic going through _both_ pipes). cheers luigi > > Hello !! > I hope can help me. > I have FreeBSD 4.2-RELEASE, kernel is compiled to load Dummynet, > with the following options in the kernel. > > options NMBCLUSTERS=9000 > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT > options IPFIREWALL_DEFAULT_TO_ACCEPT > options DUMMYNET > options HZ=1000 > > This server works as Gateway and I want to limit the bandwidth of the > machines > that use this Gateway. in / etc/rc.conf I put gateway_enable="YES" > and the rules are: > > ipfw add pipe 1 ip from A to any via xl1 out > ipfw add pipe 2 ip from any to A via xl1 in > ipfw pipe 1 config bw 64Kbit/s > ipfw pipe 2 config bw 64Kbit/s > > The question is. If I do ping from the machine A, it simulates the > restriction of the bandwidth OK. But if I do ping to him (to the machine > A), it does not simulate the restriction of the bandwidth. > > Where is the error? > > Thank you very much. > > -- > Edgar Garc_a Luna > Adetel S.A de C.V. > Tel. 5480 9878 > edgar@adetel.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 26 22:13:45 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from opensrs.saignon.net (216-120-17-31.dsl.cust.tfb.com [216.120.17.31]) by hub.freebsd.org (Postfix) with ESMTP id 0307C37B406 for ; Thu, 26 Jul 2001 22:13:42 -0700 (PDT) (envelope-from tony@saignon.net) Received: from tsaignmobl (216-120-17-17.dsl.cust.tfb.com [216.120.17.17]) by opensrs.saignon.net (8.11.4/8.11.3) with SMTP id f6R5F2t00556 for ; Thu, 26 Jul 2001 22:15:03 -0700 (PDT) (envelope-from tony@saignon.net) From: Tony Saign To: Subject: Simple ruleset?? Date: Thu, 26 Jul 2001 22:13:32 -0700 Message-ID: <000001c1165a$e1e14870$0600a8c0@tsaignmobl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have ipfw running on my box with the default_to_deny option set. I need a proven ruleset that would allow any outbound traffic, and incoming on ports 22, 25, 53, 80, and 110 only. I am questioning whether my current ruleset is adequate. Everything is working, but I am having problems with DNS. When I attempt an 'nslookup' from another system, it just times out with an 'unspecified error' Anyone have a good link for info in ipfw?? Thanks in advance for any info. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jul 28 18:55:20 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.lewman.org (lowrider.lewman.org [63.109.230.166]) by hub.freebsd.org (Postfix) with ESMTP id 577F337B403 for ; Sat, 28 Jul 2001 18:55:18 -0700 (PDT) (envelope-from andy@lewman.com) Received: by mail.lewman.org (Postfix, from userid 1001) id 6EFBE3D94; Sat, 28 Jul 2001 21:55:07 -0400 (EDT) Date: Sat, 28 Jul 2001 21:55:07 -0400 From: Andrew To: freebsd-ipfw@freebsd.org Subject: Re: Simple ruleset?? Message-ID: <20010728215507.A19670@lowrider.lewman.org> References: <000001c1165a$e1e14870$0600a8c0@tsaignmobl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000001c1165a$e1e14870$0600a8c0@tsaignmobl>; from tony@saignon.net on Thu, Jul 26, 2001 at 10:13:32PM -0700 X-phase_of_moon: The Moon is Waxing Gibbous (68% of Full) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jul 26, 2001 at 10:13:32PM -0700, tony@saignon.net spewed 0.6K bytes in 17 lines about: : : I need a proven ruleset that would allow any outbound traffic, and incoming : on ports 22, 25, 53, 80, and 110 only. Just a thought: allow ip from me to any #outbound allow udp from any to me 53 #dns inbound The rest is pretty simple. -- | Andy | e-mail | web | gpg/pgp keyid | | | andy@lewman.com | www.lewman.com | ED788962 | Dealing with failure is easy: work hard to improve. Success is also easy to handle: you've solved the wrong problem. Work hard to improve. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jul 28 21:19:51 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from opensrs.saignon.net (216-120-17-31.dsl.cust.tfb.com [216.120.17.31]) by hub.freebsd.org (Postfix) with ESMTP id 684AD37B406 for ; Sat, 28 Jul 2001 21:19:46 -0700 (PDT) (envelope-from tony@saignon.net) Received: from tsaignmobl (216-120-17-17.dsl.cust.tfb.com [216.120.17.17]) by opensrs.saignon.net (8.11.4/8.11.3) with SMTP id f6T4L9N08903 for ; Sat, 28 Jul 2001 21:21:09 -0700 (PDT) (envelope-from tony@saignon.net) From: Tony Saign To: Subject: RE: Simple ruleset?? Date: Sat, 28 Jul 2001 21:19:40 -0700 Message-ID: <000001c117e5$b01f1060$0600a8c0@tsaignmobl> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010728215507.A19670@lowrider.lewman.org> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Currently this is what I have, and it appears to be working now that I added #00708 # Outbound filters add 00310 allow tcp from any to any out established add 00320 allow tcp from any to any out setup keep-state # SSH filters add 00401 pass tcp from to any 22 setup add 00402 pass tcp from to any 22 established add 00403 pass tcp from to any 22 setup add 00404 pass tcp from to any 22 established # eMail filters add 00501 pass tcp from any to any 25 setup add 00502 pass tcp from any to any 25 established add 00503 pass tcp from any to any 110 setup add 00504 pass tcp from any to any 110 established # HTTP filters add 00601 pass tcp from any to any 80 setup add 00602 pass tcp from any to any 80 established add 00603 pass tcp from to any 3987 setup add 00604 pass tcp from to any 3987 established add 00605 pass tcp from to any 3987 setup add 00606 pass tcp from to any 3987 established # DNS filters add 00701 allow udp from 53 to any in recv fxp0 add 00702 allow udp from to any in recv fxp0 add 00703 allow udp from to any in recv fxp0 add 00704 allow udp from 53 to any in recv fxp0 add 00705 allow udp from 53 to any in recv fxp0 add 00706 allow udp from any to any 53 add 00707 allow udp from any 53 to any add 00708 allow tcp from any to any 53 #NSLOOKUP WORKS w/ this rule add 00710 allow udp from any to any out # ICMP filters add 00801 allow icmp from any to any icmptypes 3 add 00802 allow icmp from any to any icmptypes 4 add 00803 allow icmp from any to any icmptypes 8 out add 00804 allow icmp from any to any icmptypes 0 in add 00805 allow icmp from any to any icmptypes 11 in * -----Original Message----- * From: owner-freebsd-ipfw@freebsd.org * [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Andrew * Sent: Saturday, July 28, 2001 6:55 PM * To: freebsd-ipfw@freebsd.org * Subject: Re: Simple ruleset?? * * * On Thu, Jul 26, 2001 at 10:13:32PM -0700, tony@saignon.net * spewed 0.6K bytes in 17 lines about: * : * : I need a proven ruleset that would allow any outbound * traffic, and incoming * : on ports 22, 25, 53, 80, and 110 only. * * Just a thought: * * allow ip from me to any #outbound * allow udp from any to me 53 #dns inbound * * The rest is pretty simple. * * * -- * * | Andy | e-mail | web | gpg/pgp keyid | * | | andy@lewman.com | www.lewman.com | ED788962 | * * Dealing with failure is easy: work hard to improve. Success is also * easy to handle: you've solved the wrong problem. Work hard to * improve. * * To Unsubscribe: send mail to majordomo@FreeBSD.org * with "unsubscribe freebsd-ipfw" in the body of the message * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message