From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 19 11:02:09 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7195C16A4B3 for ; Sun, 19 Oct 2003 11:02:09 -0700 (PDT) Received: from lug.org.uk (xinit.lug.org.uk [195.92.253.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76AFF43F3F for ; Sun, 19 Oct 2003 11:02:08 -0700 (PDT) (envelope-from andy@strugglers.net) Received: from andy by lug.org.uk with local (Exim 3.33 #2) id 1ABHsV-0008GM-00 for freebsd-ipfw@freebsd.org; Sun, 19 Oct 2003 19:02:07 +0100 Date: Sun, 19 Oct 2003 19:02:07 +0100 From: Andy Smith To: freebsd-ipfw@freebsd.org Message-ID: <20031019180206.GL24304@lug.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Uptime: 300 days X-URL: http://www.strugglers.net/~andy/ X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . User-Agent: Mutt/1.5.4i Subject: active FTP, ipfw and dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Oct 2003 18:02:09 -0000 Hi guys, apologies if this has been discussed before but a couple of us have been googling and reading man pages for a few hours now and can't seem to work this one out. If you've got a machine with IPFW2 and users on it want to use active FTP, is this possible without doing something like: ipfw add allow tcp from any 20 to any 1024-65534 ?? What I'm trying to duplicate is the functionality of linux iptables where you would just add something like.. $IPTABLES -A INPUT -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT and then everything like active FTP would just work. We don't quite understand how that can be done with ipfw's keep-state and would appreciate any tips you can offer. And yes I know that FTP sucks, and that passive FTP can be made to work, it is just annoying that I cna work this out so easily with iptables but not with ipfw. Thanks! From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 20 11:01:47 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C86316A4B3 for ; Mon, 20 Oct 2003 11:01:47 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73A3E43FE3 for ; Mon, 20 Oct 2003 11:01:38 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h9KI1cFY099286 for ; Mon, 20 Oct 2003 11:01:38 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h9KI1bRZ099280 for ipfw@freebsd.org; Mon, 20 Oct 2003 11:01:37 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 20 Oct 2003 11:01:37 -0700 (PDT) Message-Id: <200310201801.h9KI1bRZ099280@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2003 18:01:47 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 1 problem total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 21 21:45:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18F1916A4B3 for ; Tue, 21 Oct 2003 21:45:03 -0700 (PDT) Received: from web20505.mail.yahoo.com (web20505.mail.yahoo.com [216.136.226.140]) by mx1.FreeBSD.org (Postfix) with SMTP id 91F7143F85 for ; Tue, 21 Oct 2003 21:45:02 -0700 (PDT) (envelope-from alhagiep@yahoo.com) Message-ID: <20031022044502.95474.qmail@web20505.mail.yahoo.com> Received: from [24.87.98.182] by web20505.mail.yahoo.com via HTTP; Tue, 21 Oct 2003 21:45:02 PDT Date: Tue, 21 Oct 2003 21:45:02 -0700 (PDT) From: Alhagie Puye To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Equal bandwidth sharing by all hosts using dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 04:45:03 -0000 Hi all, First of all, I have spent a lot of time reading up on it. Anyway, I live in a shared accomodation with 2 roommates and a landlord and we share a cable internet connection. It is 2Mbit/400Kbit connection. Sometimes when one of us is downloading a song through Kazaa or a new Linux or FreeBSD iso, the bandwidth gets hogged and other users can't get through. I was trying to configure dummynet using Fair Queues but I seem to be missing something. I tried to modify some of the examples on Luigi Rizzo's web site (http://info.iet.unipi.it/~luigi/ip_dummynet/) but it doesn't seem to be working. It is a very simple setup. Private network (192.168.42.0/24)--------> FreeBSD 5.1 firewall doing NAT (DHCP on external interface) My configuration file excerpt: ipfw pipe 1 config bw 400Kbit/s ipfw pipe 2 config bw 1000Kbit/s ipfw add queue 1 ip from 192.168.42.0/24 to any via fxp0 ipfw queue 1 config weight 5 pipe 1 mask src-ip 0xffffffff ipfw add queue 2 ip from any to 192.168.42.0/24 via fxp0 ipfw queue 2 config weight 5 pipe 2 mask dst-ip 0xfffffff When I do a "ipfw pipe show", the output is: firewall# ipfw pipe list 00001: 400.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00002: 1.000 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00001: weight 5 pipe 1 50 sl. 0 queues (64 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 q00002: weight 5 pipe 2 50 sl. 0 queues (64 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 The queues are always "0". So, it seems to me like they are not getting created. What am I missing? I have looked everywhere for answers. Any help would be greatly appreciated. Cheers, Alhagie. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 22 02:56:39 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57F3516A4B3 for ; Wed, 22 Oct 2003 02:56:39 -0700 (PDT) Received: from insourcery.net (ns1.insourcery.net [198.93.171.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id E110743FB1 for ; Wed, 22 Oct 2003 02:56:35 -0700 (PDT) (envelope-from eculp@encontacto.net) Received: from localhost (localhost [127.0.0.1]) (uid 80) by insourcery.net with local; Wed, 22 Oct 2003 02:56:35 -0700 Received: from dsl-201-128-88-182.prodigy.net.mxmail.encontacto.net (Horde) with HTTP for ; Wed, 22 Oct 2003 02:56:35 -0700 Message-ID: <1066816595.503ljw1oahog@mail.encontacto.net> X-Priority: 3 (Normal) Date: Wed, 22 Oct 2003 02:56:35 -0700 From: eculp@encontacto.net To: freebsd-ipfw@freebsd.org References: <20031022044502.95474.qmail@web20505.mail.yahoo.com> In-Reply-To: <20031022044502.95474.qmail@web20505.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.0-cvs X-Originating-IP: 201.128.88.182 Subject: Re: Equal bandwidth sharing by all hosts using dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 09:56:39 -0000 Quoting Alhagie Puye : | Hi all, | | First of all, I have spent a lot of time reading up on | it. | | Anyway, I live in a shared accomodation with 2 | roommates and a landlord and we share a cable internet | connection. It is 2Mbit/400Kbit connection. Sometimes | when one of us is downloading a song through Kazaa or | a new Linux or FreeBSD iso, the bandwidth gets hogged | and other users can't get through. | | I was trying to configure dummynet using Fair Queues | but I seem to be missing something. I tried to modify | some of the examples on Luigi Rizzo's web site | (http://info.iet.unipi.it/~luigi/ip_dummynet/) but it | doesn't seem to be working. | | It is a very simple setup. | | Private network (192.168.42.0/24)--------> FreeBSD 5.1 | firewall doing NAT (DHCP on external interface) | | My configuration file excerpt: | | ipfw pipe 1 config bw 400Kbit/s | ipfw pipe 2 config bw 1000Kbit/s | ipfw add queue 1 ip from 192.168.42.0/24 to any via | fxp0 | ipfw queue 1 config weight 5 pipe 1 mask src-ip | 0xffffffff | | ipfw add queue 2 ip from any to 192.168.42.0/24 via | fxp0 | ipfw queue 2 config weight 5 pipe 2 mask dst-ip | 0xfffffff I use the following and it seems to work. I haven't really looked that close though. It's a bit different to what you are doing but maybe it will help somehow. This company has some real BW hogs that is the reason for the 16kb :) $fwcmd pipe 1 config mask src-ip 0x000000ff bw 16Kbit/s queue 16Kbytes $fwcmd pipe 2 config mask dst-ip 0x000000ff bw 16Kbit/s queue 16Kbytes $fwcmd add 451 pipe 1 all from 192.168.5.0/24 to any out $fwcmd add 452 pipe 2 all from any to 192.168.5.0/24 in My ip pipe show is: /var/tmp # ipfw pipe show 00001: 16.000 Kbit/s 0 ms 16 KB 29 queues (64 buckets) droptail mask: 0x00 0x000000ff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 ip 0.0.0.32/0 0.0.0.0/0 89 5275 0 0 0 2 ip 0.0.0.1/0 0.0.0.0/0 8389 593271 0 0 0 4 ip 0.0.0.34/0 0.0.0.0/0 39 1996 0 0 0 6 ip 0.0.0.35/0 0.0.0.0/0 188 9738 0 0 0 8 ip 0.0.0.36/0 0.0.0.0/0 223 11346 0 0 0 10 ip 0.0.0.37/0 0.0.0.0/0 342 17135 0 0 0 12 ip 0.0.0.38/0 0.0.0.0/0 92 5474 0 0 0 14 ip 0.0.0.39/0 0.0.0.0/0 194 9634 0 0 0 16 ip 0.0.0.40/0 0.0.0.0/0 225 10922 0 0 0 18 ip 0.0.0.41/0 0.0.0.0/0 186 9350 0 0 0 20 ip 0.0.0.42/0 0.0.0.0/0 122 6148 0 0 0 22 ip 0.0.0.43/0 0.0.0.0/0 269 13420 0 0 0 24 ip 0.0.0.44/0 0.0.0.0/0 105 6612 0 0 0 26 ip 0.0.0.45/0 0.0.0.0/0 4 192 0 0 0 28 ip 0.0.0.46/0 0.0.0.0/0 294 14751 0 0 0 30 ip 0.0.0.47/0 0.0.0.0/0 229 13595 0 0 0 32 ip 0.0.0.48/0 0.0.0.0/0 198 9504 0 0 0 34 ip 0.0.0.49/0 0.0.0.0/0 10833 513435 0 0 0 36 ip 0.0.0.50/0 0.0.0.0/0 218 11286 0 0 0 38 ip 0.0.0.51/0 0.0.0.0/0 30 1541 0 0 0 40 ip 0.0.0.52/0 0.0.0.0/0 1131 59118 0 0 0 42 ip 0.0.0.53/0 0.0.0.0/0 1059 58867 0 0 0 44 ip 0.0.0.54/0 0.0.0.0/0 55 2700 0 0 0 52 ip 0.0.0.26/0 0.0.0.0/0 100 4800 0 0 0 54 ip 0.0.0.27/0 0.0.0.0/0 10561 514357 0 0 0 56 ip 0.0.0.28/0 0.0.0.0/0 41 2669 0 0 0 58 ip 0.0.0.29/0 0.0.0.0/0 5838 277480 0 0 0 60 ip 0.0.0.30/0 0.0.0.0/0 172 8980 0 0 0 62 ip 0.0.0.31/0 0.0.0.0/0 8 512 0 0 0 00002: 16.000 Kbit/s 0 ms 16 KB 1 queues (64 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 1 ip 0.0.0.0/0 0.0.0.1/0 97482 15485004 0 0 0 So I assume it is doing what I expect or could I be missing something? ed | | When I do a "ipfw pipe show", the output is: | | firewall# ipfw pipe list | 00001: 400.000 Kbit/s 0 ms 50 sl. 0 queues (1 | buckets) droptail | mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 | 00002: 1.000 Mbit/s 0 ms 50 sl. 0 queues (1 | buckets) droptail | mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 | q00001: weight 5 pipe 1 50 sl. 0 queues (64 buckets) | droptail | mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 | q00002: weight 5 pipe 2 50 sl. 0 queues (64 buckets) | droptail | mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 | | The queues are always "0". So, it seems to me like | they are not getting created. What am I missing? I | have looked everywhere for answers. Any help would be | greatly appreciated. | | Cheers, | Alhagie. | | | __________________________________ | Do you Yahoo!? | The New Yahoo! Shopping - with improved product search | http://shopping.yahoo.com | _______________________________________________ | freebsd-ipfw@freebsd.org mailing list | http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw | To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" | ------------------------------------------------- From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 22 03:05:37 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C31DB16A4B3 for ; Wed, 22 Oct 2003 03:05:37 -0700 (PDT) Received: from insourcery.net (ns1.insourcery.net [198.93.171.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19A0443FBF for ; Wed, 22 Oct 2003 03:05:37 -0700 (PDT) (envelope-from eculp@encontacto.net) Received: from localhost (localhost [127.0.0.1]) (uid 80) by insourcery.net with local; Wed, 22 Oct 2003 03:05:36 -0700 Received: from dsl-201-128-88-182.prodigy.net.mxmail.encontacto.net (Horde) with HTTP for ; Wed, 22 Oct 2003 03:05:36 -0700 Message-ID: <1066817136.3bet6bgcuykg@mail.encontacto.net> X-Priority: 3 (Normal) Date: Wed, 22 Oct 2003 03:05:36 -0700 From: eculp@encontacto.net To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.0-cvs X-Originating-IP: 201.128.88.182 Subject: Policy routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 10:05:37 -0000 Currently we have an inhouse machine with three nic's. One is connected to our main isp through a ds0 and with public addresses, in this country bandwidth is still expensive, another through a cable provider with a private ip and the third is our lan. I want to selectively route, such as ports 80 and 21, through the internal trafic through the cable provider and the private ip. All other traffic I would like to go through the main isp and the public ip, this is my natd interface. I'm currently doing it with the help of squid using transparent proxying with a couple of fwd's but I would like to be able to remove squid and have everything work but with more flexibility in which services go where My current working configuracion, without cruft, is basically: 00601 allow tcp from 192.168.5.0/24 to me 80 00701 fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 80 00702 fwd 127.0.0.1,3128 tcp from 192.168.5.0/24 to any 21 00801 fwd 10.24.128.1 tcp from me to any 80 10000 divert 8668 ip from any to any via rl0 Any suggestions would be appreciated. Thanks, ed ------------------------------------------------- From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 22 03:06:55 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF7AE16A4B3 for ; Wed, 22 Oct 2003 03:06:55 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-63-207-60-234.dsl.lsan03.pacbell.net [63.207.60.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00DD243F85 for ; Wed, 22 Oct 2003 03:06:53 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 1C8DB66D88; Wed, 22 Oct 2003 03:06:52 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id D587CDB4; Wed, 22 Oct 2003 03:06:51 -0700 (PDT) Date: Wed, 22 Oct 2003 03:06:51 -0700 From: Kris Kennaway To: "Thomas S. Crum" Message-ID: <20031022100651.GA70249@rot13.obsecurity.org> References: <003501c393dc$1eca79e0$6252eb44@wolf> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline In-Reply-To: <003501c393dc$1eca79e0$6252eb44@wolf> User-Agent: Mutt/1.4.1i cc: freebsd-ipfw@freebsd.org Subject: Re: patch for freebsd 5.3 release / dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 10:06:56 -0000 --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 16, 2003 at 07:53:26AM -0400, Thomas S. Crum wrote: > Hi all, >=20 > I recently installed FreeBSD 5.3 release and rebuilt ipfw and libalias. Congratulations, can you also mail me next week's lottery numbers? :-) Kris --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/lla7Wry0BWjoQKURAqLWAJ9zpUD9Qd1/g+1y8s5uovxqBPe/7ACfW553 fcEKMQbZO9EIdQUAds0kALc= =FImS -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 22 03:07:57 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C42516A4C0 for ; Wed, 22 Oct 2003 03:07:57 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-63-207-60-234.dsl.lsan03.pacbell.net [63.207.60.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58B4D43FD7 for ; Wed, 22 Oct 2003 03:07:56 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id A195866D88; Wed, 22 Oct 2003 03:07:55 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 58F70DB9; Wed, 22 Oct 2003 03:07:55 -0700 (PDT) Date: Wed, 22 Oct 2003 03:07:55 -0700 From: Kris Kennaway To: "Thomas S. Crum" Message-ID: <20031022100754.GB70249@rot13.obsecurity.org> References: <003b01c393de$15e41dc0$6252eb44@wolf> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8P1HSweYDcXXzwPJ" Content-Disposition: inline In-Reply-To: <003b01c393de$15e41dc0$6252eb44@wolf> User-Agent: Mutt/1.4.1i cc: freebsd-ipfw@freebsd.org Subject: Re: UPDATE 4.8 release / dummynet patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 10:07:57 -0000 --8P1HSweYDcXXzwPJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 16, 2003 at 08:07:30AM -0400, Thomas S. Crum wrote: > Sry, just woke up. >=20 > Hi all, >=20 > I recently installed FreeBSD 4.8 release and rebuilt ipfw and libalias. >=20 > All seems to be working, but occasionally I get errors referencing > dummynet. This is very likely just my syntax as I am new to ipfw2. But, > I just wanted to ask is there any patching I need to do further or shall > I just need to hit the books further. :) Provide more details, like you ipfw ruleset, details of your network, the exact conditions under which the problem occurs, and the error messages received. Kris --8P1HSweYDcXXzwPJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/llb6Wry0BWjoQKURAiF6AKChnFO3VLaXWrwfUAR4xjhUVCRslACghnKu xu+QfvfAiY/HQRo0TErr+dM= =66dC -----END PGP SIGNATURE----- --8P1HSweYDcXXzwPJ-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 22 05:32:46 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0240216A4B3 for ; Wed, 22 Oct 2003 05:32:46 -0700 (PDT) Received: from mail.1wisp.com (uslec-66-255-6-131.cust.uslec.net [66.255.6.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85F2443FD7 for ; Wed, 22 Oct 2003 05:32:41 -0700 (PDT) (envelope-from tscrum@1wisp.com) Received: from 1wispadmin ([192.168.1.94]) (authenticated) by mail.1wisp.com (8.11.6/8.11.6) with ESMTP id h9MCWYp10986; Wed, 22 Oct 2003 08:32:34 -0400 Message-ID: <004001c39898$9434e010$5e01a8c0@1wispadmin> From: "Thomas S. Crum - 1WISP, Inc." To: "Alhagie Puye" , References: <20031022044502.95474.qmail@web20505.mail.yahoo.com> Date: Wed, 22 Oct 2003 08:32:37 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: Equal bandwidth sharing by all hosts using dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 12:32:46 -0000 Do not use "all" of your available pipe as during peak times it would increase latency. # EVERYBODY "DOWN" add queue 100 ip from any to 192.168.42.0/24 queue 100 config weight 1 pipe 100 mask dst-ip 0xffffffff pipe 100 config bw 1950Kbit/s # # EVERYBODY "UP" add queue 101 ip from 192.168.42.0/24 to any queue 101 config weight 1 pipe 101 mask src-ip 0xffffffff pipe 101 config bw 350Kbit/s # THIS ALLOWS DHCP TO WORK add queue 250 ip from any to any queue 250 config weight 1 pipe 250 mask src-ip 0xffffffff pipe 250 config bw 10Kbit/s It sounds as though you are using a seperate box for shaping? If so, this configed box would go in between your router and switch as a bridge. Best, Tom ----- Original Message ----- From: "Alhagie Puye" To: Sent: Wednesday, October 22, 2003 12:45 AM Subject: Equal bandwidth sharing by all hosts using dummynet > Hi all, > > First of all, I have spent a lot of time reading up on > it. > > Anyway, I live in a shared accomodation with 2 > roommates and a landlord and we share a cable internet > connection. It is 2Mbit/400Kbit connection. Sometimes > when one of us is downloading a song through Kazaa or > a new Linux or FreeBSD iso, the bandwidth gets hogged > and other users can't get through. > > I was trying to configure dummynet using Fair Queues > but I seem to be missing something. I tried to modify > some of the examples on Luigi Rizzo's web site > (http://info.iet.unipi.it/~luigi/ip_dummynet/) but it > doesn't seem to be working. > > It is a very simple setup. > > Private network (192.168.42.0/24)--------> FreeBSD 5.1 > firewall doing NAT (DHCP on external interface) > > My configuration file excerpt: > > ipfw pipe 1 config bw 400Kbit/s > ipfw pipe 2 config bw 1000Kbit/s > ipfw add queue 1 ip from 192.168.42.0/24 to any via > fxp0 > ipfw queue 1 config weight 5 pipe 1 mask src-ip > 0xffffffff > > ipfw add queue 2 ip from any to 192.168.42.0/24 via > fxp0 > ipfw queue 2 config weight 5 pipe 2 mask dst-ip > 0xfffffff > > When I do a "ipfw pipe show", the output is: > > firewall# ipfw pipe list > 00001: 400.000 Kbit/s 0 ms 50 sl. 0 queues (1 > buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > 00002: 1.000 Mbit/s 0 ms 50 sl. 0 queues (1 > buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > q00001: weight 5 pipe 1 50 sl. 0 queues (64 buckets) > droptail > mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 > q00002: weight 5 pipe 2 50 sl. 0 queues (64 buckets) > droptail > mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 > > The queues are always "0". So, it seems to me like > they are not getting created. What am I missing? I > have looked everywhere for answers. Any help would be > greatly appreciated. > > Cheers, > Alhagie. > > > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search > http://shopping.yahoo.com > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 22 05:35:51 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 979F416A4B3 for ; Wed, 22 Oct 2003 05:35:51 -0700 (PDT) Received: from mail.1wisp.com (uslec-66-255-6-131.cust.uslec.net [66.255.6.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id D817D43F85 for ; Wed, 22 Oct 2003 05:35:48 -0700 (PDT) (envelope-from tscrum@1wisp.com) Received: from 1wispadmin ([192.168.1.94]) (authenticated) by mail.1wisp.com (8.11.6/8.11.6) with ESMTP id h9MCZap11071; Wed, 22 Oct 2003 08:35:36 -0400 Message-ID: <005201c39899$007b6190$5e01a8c0@1wispadmin> From: "Thomas S. Crum - 1WISP, Inc." To: "Kris Kennaway" References: <003b01c393de$15e41dc0$6252eb44@wolf> <20031022100754.GB70249@rot13.obsecurity.org> Date: Wed, 22 Oct 2003 08:35:39 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-ipfw@freebsd.org Subject: Re: UPDATE 4.8 release / dummynet patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 12:35:51 -0000 That's just it. No particular errors to be concerned with, I'm just wondering in general is there any further patching that I should need to do besides rebuilding ipfw and libaliases from your knowledge? ----- Original Message ----- From: "Kris Kennaway" To: "Thomas S. Crum" Cc: Sent: Wednesday, October 22, 2003 6:07 AM Subject: Re: UPDATE 4.8 release / dummynet patch From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 22 05:45:38 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C74A16A4B3 for ; Wed, 22 Oct 2003 05:45:38 -0700 (PDT) Received: from mail.1wisp.com (uslec-66-255-6-131.cust.uslec.net [66.255.6.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C10043FD7 for ; Wed, 22 Oct 2003 05:45:34 -0700 (PDT) (envelope-from tscrum@1wisp.com) Received: from 1wispadmin ([192.168.1.94]) (authenticated) by mail.1wisp.com (8.11.6/8.11.6) with ESMTP id h9MCjSp11171; Wed, 22 Oct 2003 08:45:28 -0400 Message-ID: <008001c3989a$60e03dc0$5e01a8c0@1wispadmin> From: "Thomas S. Crum - 1WISP, Inc." To: "Alhagie Puye" , References: <20031022044502.95474.qmail@web20505.mail.yahoo.com> <004001c39898$9434e010$5e01a8c0@1wispadmin> Date: Wed, 22 Oct 2003 08:45:31 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: Equal bandwidth sharing by all hosts using dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 12:45:38 -0000 Also, I'm a monkey see, monkey know kind of person so to be sure that your config is working just lower your pipes to say 100Kb to be sure it is throttling you. Best, Tom ----- Original Message ----- From: "Thomas S. Crum - 1WISP, Inc." To: "Alhagie Puye" ; Sent: Wednesday, October 22, 2003 8:32 AM Subject: Re: Equal bandwidth sharing by all hosts using dummynet > Do not use "all" of your available pipe as during peak times it would > increase latency. > > # EVERYBODY "DOWN" > add queue 100 ip from any to 192.168.42.0/24 > queue 100 config weight 1 pipe 100 mask dst-ip 0xffffffff > pipe 100 config bw 1950Kbit/s > # > # EVERYBODY "UP" > add queue 101 ip from 192.168.42.0/24 to any > queue 101 config weight 1 pipe 101 mask src-ip 0xffffffff > pipe 101 config bw 350Kbit/s > > # THIS ALLOWS DHCP TO WORK > add queue 250 ip from any to any > queue 250 config weight 1 pipe 250 mask src-ip 0xffffffff > pipe 250 config bw 10Kbit/s > > It sounds as though you are using a seperate box for shaping? If so, this > configed box would go in between your router and switch as a bridge. > > Best, > > Tom > > ----- Original Message ----- > From: "Alhagie Puye" > To: > Sent: Wednesday, October 22, 2003 12:45 AM > Subject: Equal bandwidth sharing by all hosts using dummynet > > > > Hi all, > > > > First of all, I have spent a lot of time reading up on > > it. > > > > Anyway, I live in a shared accomodation with 2 > > roommates and a landlord and we share a cable internet > > connection. It is 2Mbit/400Kbit connection. Sometimes > > when one of us is downloading a song through Kazaa or > > a new Linux or FreeBSD iso, the bandwidth gets hogged > > and other users can't get through. > > > > I was trying to configure dummynet using Fair Queues > > but I seem to be missing something. I tried to modify > > some of the examples on Luigi Rizzo's web site > > (http://info.iet.unipi.it/~luigi/ip_dummynet/) but it > > doesn't seem to be working. > > > > It is a very simple setup. > > > > Private network (192.168.42.0/24)--------> FreeBSD 5.1 > > firewall doing NAT (DHCP on external interface) > > > > My configuration file excerpt: > > > > ipfw pipe 1 config bw 400Kbit/s > > ipfw pipe 2 config bw 1000Kbit/s > > ipfw add queue 1 ip from 192.168.42.0/24 to any via > > fxp0 > > ipfw queue 1 config weight 5 pipe 1 mask src-ip > > 0xffffffff > > > > ipfw add queue 2 ip from any to 192.168.42.0/24 via > > fxp0 > > ipfw queue 2 config weight 5 pipe 2 mask dst-ip > > 0xfffffff > > > > When I do a "ipfw pipe show", the output is: > > > > firewall# ipfw pipe list > > 00001: 400.000 Kbit/s 0 ms 50 sl. 0 queues (1 > > buckets) droptail > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > 00002: 1.000 Mbit/s 0 ms 50 sl. 0 queues (1 > > buckets) droptail > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > q00001: weight 5 pipe 1 50 sl. 0 queues (64 buckets) > > droptail > > mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 > > q00002: weight 5 pipe 2 50 sl. 0 queues (64 buckets) > > droptail > > mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 > > > > The queues are always "0". So, it seems to me like > > they are not getting created. What am I missing? I > > have looked everywhere for answers. Any help would be > > greatly appreciated. > > > > Cheers, > > Alhagie. > > > > > > __________________________________ > > Do you Yahoo!? > > The New Yahoo! Shopping - with improved product search > > http://shopping.yahoo.com > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 22 07:07:31 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11E8316A4C0 for ; Wed, 22 Oct 2003 07:07:31 -0700 (PDT) Received: from queue.unet.com.mk (queue.unet.com.mk [212.13.64.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C3D643F75 for ; Wed, 22 Oct 2003 07:07:26 -0700 (PDT) (envelope-from aleksandar@unet.com.mk) Received: from b166-er.unet.com.mk (ppp25.unet.com.mk [212.13.64.90] (may be forged)) by queue.unet.com.mk (8.11.6/8.11.6) with SMTP id h9MCpRT17633 for ; Wed, 22 Oct 2003 14:51:27 +0200 Date: Wed, 22 Oct 2003 16:10:05 +0200 From: Aleksandar Simonovski To: freebsd-ipfw@freebsd.org Message-Id: <20031022161005.77a50af1.aleksandar@unet.com.mk> Organization: Unet X-Mailer: Sylpheed version 0.9.4-gtk2-20030802 (GTK+ 2.2.4; i686-pc-linux-gnu) X-Operating-System: Slackware 9.1 Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavis-milter (http://amavis.org/) Subject: gateway/firewall script X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 14:07:31 -0000 this is my script, works just fine, it's purpose is to allow just www,ftp and dns requests but i get only 6KB/s transfer with config bw 128Kbit/s, and 3KB/s with 64Kbit/s and so on and it should be 16KB/s with 128Kbit/s and 8KB/s with 64Kbit/s and do on so is this right or i'am missing something? any comments on the script would be fine INTINF = rl1 EXTINF = rl0 # natd is running natd -n rl0 #!/bin/sh -f flush add 1000 divert 8668 ip from any to any via rl0 add 1200 allow ip from any to any via lo0 add 1300 deny ip from any to 127.0.0.1/8 add 1400 deny ip from 127.0.0.1/8 to any add 1500 check-state add 1550 allow icmp from any to any keep-state add 1600 allow log udp from any to any 53 keep-state out add 1610 allow log udp from any to any 53 keep-state in #add 1620 allow log udp from any 53 to any keep-state in add 1700 queue 1 log tcp from any to any 20,21 keep-state out add 1800 queue 2 log tcp from any 20,21 to any keep-state in add 2000 queue 3 log tcp from any to any 80 keep-state out add 2010 queue 4 log tcp from any to any 80 keep-state in #add 2020 queue 5 log tcp from any 80 to any keep-state in add 2100 deny log ip from any to any queue 1 config weight 5 pipe 1 mask all queue 2 config weight 5 pipe 2 mask all queue 3 config weight 5 pipe 3 mask all queue 4 config weight 5 pipe 4 mask all queue 5 config weight 5 pipe 5 mask all pipe 1 config bw 128Kbit/s pipe 2 config bw 128Kbit/s pipe 3 config bw 128Kbit/s pipe 4 config bw 128Kbit/s pipe 5 config bw 128Kbit/s Cheers, Aleksandar From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 22 12:45:47 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C20C16A4F3 for ; Wed, 22 Oct 2003 12:45:47 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-63-207-60-234.dsl.lsan03.pacbell.net [63.207.60.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B1A644161 for ; Wed, 22 Oct 2003 12:44:37 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 5486166DBA; Wed, 22 Oct 2003 12:44:23 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 3DDAEDB4; Wed, 22 Oct 2003 12:44:23 -0700 (PDT) Date: Wed, 22 Oct 2003 12:44:23 -0700 From: Kris Kennaway To: "Thomas S. Crum - 1WISP, Inc." Message-ID: <20031022194423.GB71686@rot13.obsecurity.org> References: <003b01c393de$15e41dc0$6252eb44@wolf> <20031022100754.GB70249@rot13.obsecurity.org> <005201c39899$007b6190$5e01a8c0@1wispadmin> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LyciRD1jyfeSSjG0" Content-Disposition: inline In-Reply-To: <005201c39899$007b6190$5e01a8c0@1wispadmin> User-Agent: Mutt/1.4.1i cc: freebsd-ipfw@freebsd.org cc: Kris Kennaway Subject: Re: UPDATE 4.8 release / dummynet patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 19:45:48 -0000 --LyciRD1jyfeSSjG0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Oct 22, 2003 at 08:35:39AM -0400, Thomas S. Crum - 1WISP, Inc. wrote: > That's just it. No particular errors to be concerned with, I'm just > wondering in general is there any further patching that I should need to do > besides rebuilding ipfw and libaliases from your knowledge? I'm not sure what you mean. Upgrading the system involves more than just rebuilding ipfw and libaliases - see the handbook for full details. Kris --LyciRD1jyfeSSjG0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/lt4XWry0BWjoQKURAkgJAJ41nMcwuIyRjVH0EUNv8IYrYLRBRACg6BBh VZ0G4Wd/zKRBfZ3xBESPUXo= =IB8E -----END PGP SIGNATURE----- --LyciRD1jyfeSSjG0-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 22 12:59:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 226C316A4B3 for ; Wed, 22 Oct 2003 12:59:20 -0700 (PDT) Received: from web20501.mail.yahoo.com (web20501.mail.yahoo.com [216.136.226.136]) by mx1.FreeBSD.org (Postfix) with SMTP id A842443F85 for ; Wed, 22 Oct 2003 12:59:01 -0700 (PDT) (envelope-from alhagiep@yahoo.com) Message-ID: <20031022195900.91577.qmail@web20501.mail.yahoo.com> Received: from [24.87.98.182] by web20501.mail.yahoo.com via HTTP; Wed, 22 Oct 2003 12:59:00 PDT Date: Wed, 22 Oct 2003 12:59:00 -0700 (PDT) From: Alhagie Puye To: "Thomas S. Crum - 1WISP, Inc." , freebsd-ipfw@freebsd.org In-Reply-To: <004001c39898$9434e010$5e01a8c0@1wispadmin> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Equal bandwidth sharing by all hosts using dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2003 19:59:20 -0000 Thanks for the tip. The EVERYBODY "DOWN" works great but the others don't work. I'm wondering what the order of how the rules are applied affects it. It looks like the traffic shaping is happening AFTER the packets are nat-ed. Could that be the case? I said this because after nat, the packets coming back to my private network have the right IP's (192.168.42.0/24) but when the packets are are leaving my network, they have the wrong IP after nat. I'm going to try changing the rule a little bit. Will let you know what I find out. Thanks, Alhagie. --- "Thomas S. Crum - 1WISP, Inc." wrote: > Do not use "all" of your available pipe as during > peak times it would > increase latency. > > # EVERYBODY "DOWN" > add queue 100 ip from any to 192.168.42.0/24 > queue 100 config weight 1 pipe 100 mask dst-ip > 0xffffffff > pipe 100 config bw 1950Kbit/s > # > # EVERYBODY "UP" > add queue 101 ip from 192.168.42.0/24 to any > queue 101 config weight 1 pipe 101 mask src-ip > 0xffffffff > pipe 101 config bw 350Kbit/s > > # THIS ALLOWS DHCP TO WORK > add queue 250 ip from any to any > queue 250 config weight 1 pipe 250 mask src-ip > 0xffffffff > pipe 250 config bw 10Kbit/s > > It sounds as though you are using a seperate box for > shaping? If so, this > configed box would go in between your router and > switch as a bridge. > > Best, > > Tom > > ----- Original Message ----- > From: "Alhagie Puye" > To: > Sent: Wednesday, October 22, 2003 12:45 AM > Subject: Equal bandwidth sharing by all hosts using > dummynet > > > > Hi all, > > > > First of all, I have spent a lot of time reading > up on > > it. > > > > Anyway, I live in a shared accomodation with 2 > > roommates and a landlord and we share a cable > internet > > connection. It is 2Mbit/400Kbit connection. > Sometimes > > when one of us is downloading a song through Kazaa > or > > a new Linux or FreeBSD iso, the bandwidth gets > hogged > > and other users can't get through. > > > > I was trying to configure dummynet using Fair > Queues > > but I seem to be missing something. I tried to > modify > > some of the examples on Luigi Rizzo's web site > > (http://info.iet.unipi.it/~luigi/ip_dummynet/) but > it > > doesn't seem to be working. > > > > It is a very simple setup. > > > > Private network (192.168.42.0/24)--------> FreeBSD > 5.1 > > firewall doing NAT (DHCP on external interface) > > > > My configuration file excerpt: > > > > ipfw pipe 1 config bw 400Kbit/s > > ipfw pipe 2 config bw 1000Kbit/s > > ipfw add queue 1 ip from 192.168.42.0/24 to any > via > > fxp0 > > ipfw queue 1 config weight 5 pipe 1 mask src-ip > > 0xffffffff > > > > ipfw add queue 2 ip from any to 192.168.42.0/24 > via > > fxp0 > > ipfw queue 2 config weight 5 pipe 2 mask dst-ip > > 0xfffffff > > > > When I do a "ipfw pipe show", the output is: > > > > firewall# ipfw pipe list > > 00001: 400.000 Kbit/s 0 ms 50 sl. 0 queues (1 > > buckets) droptail > > mask: 0x00 0x00000000/0x0000 -> > 0x00000000/0x0000 > > 00002: 1.000 Mbit/s 0 ms 50 sl. 0 queues (1 > > buckets) droptail > > mask: 0x00 0x00000000/0x0000 -> > 0x00000000/0x0000 > > q00001: weight 5 pipe 1 50 sl. 0 queues (64 > buckets) > > droptail > > mask: 0x00 0xffffffff/0x0000 -> > 0x00000000/0x0000 > > q00002: weight 5 pipe 2 50 sl. 0 queues (64 > buckets) > > droptail > > mask: 0x00 0x00000000/0x0000 -> > 0xffffffff/0x0000 > > > > The queues are always "0". So, it seems to me like > > they are not getting created. What am I missing? I > > have looked everywhere for answers. Any help would > be > > greatly appreciated. > > > > Cheers, > > Alhagie. > > > > > > __________________________________ > > Do you Yahoo!? > > The New Yahoo! Shopping - with improved product > search > > http://shopping.yahoo.com > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" > > > __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 23 05:51:32 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3D1A16A4B3 for ; Thu, 23 Oct 2003 05:51:32 -0700 (PDT) Received: from mail.1wisp.com (uslec-66-255-6-131.cust.uslec.net [66.255.6.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BBAB43FCB for ; Thu, 23 Oct 2003 05:51:28 -0700 (PDT) (envelope-from tscrum@1wisp.com) Received: from 1wispadmin ([192.168.1.94]) (authenticated) by mail.1wisp.com (8.11.6/8.11.6) with ESMTP id h9NCpIp04448; Thu, 23 Oct 2003 08:51:18 -0400 Message-ID: <00b801c39964$5dacc950$5e01a8c0@1wispadmin> From: "Thomas S. Crum - 1WISP, Inc." To: "Alhagie Puye" , References: <20031022195900.91577.qmail@web20501.mail.yahoo.com> Date: Thu, 23 Oct 2003 08:51:23 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: Equal bandwidth sharing by all hosts using dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2003 12:51:32 -0000 To be candid, I have not tinkered much with freebsd as a nat box. If you are using the same box to route and to shape, I'm sure the config will be different. My config (a bridge) is sitting between a cisco and my swicthes and my cisco runs nat so all the private ip's are shaped both in and out prior to the router nating it to a public ip. GL, Tom ----- Original Message ----- From: "Alhagie Puye" To: "Thomas S. Crum - 1WISP, Inc." ; Sent: Wednesday, October 22, 2003 3:59 PM Subject: Re: Equal bandwidth sharing by all hosts using dummynet > Thanks for the tip. The EVERYBODY "DOWN" works great > but the others don't work. > > I'm wondering what the order of how the rules are > applied affects it. It looks like the traffic shaping > is happening AFTER the packets are nat-ed. Could that > be the case? I said this because after nat, the > packets coming back to my private network have the > right IP's (192.168.42.0/24) but when the packets are > are leaving my network, they have the wrong IP after > nat. I'm going to try changing the rule a little bit. > Will let you know what I find out. > > Thanks, > Alhagie. > --- "Thomas S. Crum - 1WISP, Inc." > wrote: > > Do not use "all" of your available pipe as during > > peak times it would > > increase latency. > > > > # EVERYBODY "DOWN" > > add queue 100 ip from any to 192.168.42.0/24 > > queue 100 config weight 1 pipe 100 mask dst-ip > > 0xffffffff > > pipe 100 config bw 1950Kbit/s > > # > > # EVERYBODY "UP" > > add queue 101 ip from 192.168.42.0/24 to any > > queue 101 config weight 1 pipe 101 mask src-ip > > 0xffffffff > > pipe 101 config bw 350Kbit/s > > > > # THIS ALLOWS DHCP TO WORK > > add queue 250 ip from any to any > > queue 250 config weight 1 pipe 250 mask src-ip > > 0xffffffff > > pipe 250 config bw 10Kbit/s > > > > It sounds as though you are using a seperate box for > > shaping? If so, this > > configed box would go in between your router and > > switch as a bridge. > > > > Best, > > > > Tom > > > > ----- Original Message ----- > > From: "Alhagie Puye" > > To: > > Sent: Wednesday, October 22, 2003 12:45 AM > > Subject: Equal bandwidth sharing by all hosts using > > dummynet > > > > > > > Hi all, > > > > > > First of all, I have spent a lot of time reading > > up on > > > it. > > > > > > Anyway, I live in a shared accomodation with 2 > > > roommates and a landlord and we share a cable > > internet > > > connection. It is 2Mbit/400Kbit connection. > > Sometimes > > > when one of us is downloading a song through Kazaa > > or > > > a new Linux or FreeBSD iso, the bandwidth gets > > hogged > > > and other users can't get through. > > > > > > I was trying to configure dummynet using Fair > > Queues > > > but I seem to be missing something. I tried to > > modify > > > some of the examples on Luigi Rizzo's web site > > > (http://info.iet.unipi.it/~luigi/ip_dummynet/) but > > it > > > doesn't seem to be working. > > > > > > It is a very simple setup. > > > > > > Private network (192.168.42.0/24)--------> FreeBSD > > 5.1 > > > firewall doing NAT (DHCP on external interface) > > > > > > My configuration file excerpt: > > > > > > ipfw pipe 1 config bw 400Kbit/s > > > ipfw pipe 2 config bw 1000Kbit/s > > > ipfw add queue 1 ip from 192.168.42.0/24 to any > > via > > > fxp0 > > > ipfw queue 1 config weight 5 pipe 1 mask src-ip > > > 0xffffffff > > > > > > ipfw add queue 2 ip from any to 192.168.42.0/24 > > via > > > fxp0 > > > ipfw queue 2 config weight 5 pipe 2 mask dst-ip > > > 0xfffffff > > > > > > When I do a "ipfw pipe show", the output is: > > > > > > firewall# ipfw pipe list > > > 00001: 400.000 Kbit/s 0 ms 50 sl. 0 queues (1 > > > buckets) droptail > > > mask: 0x00 0x00000000/0x0000 -> > > 0x00000000/0x0000 > > > 00002: 1.000 Mbit/s 0 ms 50 sl. 0 queues (1 > > > buckets) droptail > > > mask: 0x00 0x00000000/0x0000 -> > > 0x00000000/0x0000 > > > q00001: weight 5 pipe 1 50 sl. 0 queues (64 > > buckets) > > > droptail > > > mask: 0x00 0xffffffff/0x0000 -> > > 0x00000000/0x0000 > > > q00002: weight 5 pipe 2 50 sl. 0 queues (64 > > buckets) > > > droptail > > > mask: 0x00 0x00000000/0x0000 -> > > 0xffffffff/0x0000 > > > > > > The queues are always "0". So, it seems to me like > > > they are not getting created. What am I missing? I > > > have looked everywhere for answers. Any help would > > be > > > greatly appreciated. > > > > > > Cheers, > > > Alhagie. > > > > > > > > > __________________________________ > > > Do you Yahoo!? > > > The New Yahoo! Shopping - with improved product > > search > > > http://shopping.yahoo.com > > > _______________________________________________ > > > freebsd-ipfw@freebsd.org mailing list > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > To unsubscribe, send any mail to > > "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search > http://shopping.yahoo.com > From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 23 11:45:50 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F11416A4B3 for ; Thu, 23 Oct 2003 11:45:50 -0700 (PDT) Received: from marlborough.cnchost.com (marlborough.concentric.net [207.155.248.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F07143FBF for ; Thu, 23 Oct 2003 11:45:50 -0700 (PDT) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com ([12.106.69.222]) by marlborough.cnchost.com id OAA27887; Thu, 23 Oct 2003 14:45:49 -0400 (EDT) [ConcentricHost SMTP Relay 1.15] Errors-To: Date: Thu, 23 Oct 2003 11:45:58 -0700 Mime-Version: 1.0 (Apple Message framework v552) Content-Type: text/plain; charset=US-ASCII; format=flowed From: Sean Hafeez To: freebsd-ipfw@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: <2417D2D4-0589-11D8-BDAD-003065F1EE08@edgefocus.com> X-Mailer: Apple Mail (2.552) Subject: Shaping a lot of users... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2003 18:45:50 -0000 I am using the following: ipfw -f flush /sbin/natd -interface rl0 ipfw add 999 divert natd all from any to any via rl0 ipfw add pipe 1 ip from any to any in recv rl1 ipfw add pipe 2 ip from any to any out xmit rl1 ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s rl0 - outside rl1 - inside and I have this is my sysctl.conf net.inet.ip.fw.one_pass=0 net.inet.ip.dummynet.hash_size=512 net.inet.ip.dummynet.max_chain_len=64 This seems to work great for limiting each user to a max of 1 meg up and down. What I want to know is how do I do the same thing but shape the users to have EQUAL bandwidth in times of load. What I mean is this: Each unique IP address on the inside (192.168.1.x/22) is limited to a max of 1 meg. If there is a hugh load that exceeds my internet bandwidth (2 T1's - so 3 megs) I would like each users to get the same amount of bandwidth - 30 users all getting 100k. I would like it to adjust based on the load. I have looked at the docs and example but I am a bit confused. Also we need to be careful not to shape the BSD box itself - I have seen some rules that screw things up because they shape the shaping box!! Thanks All! From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 24 03:02:41 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03DA116A4B3 for ; Fri, 24 Oct 2003 03:02:41 -0700 (PDT) Received: from web20508.mail.yahoo.com (web20508.mail.yahoo.com [216.136.226.143]) by mx1.FreeBSD.org (Postfix) with SMTP id 1B50F43FA3 for ; Fri, 24 Oct 2003 03:02:38 -0700 (PDT) (envelope-from alhagiep@yahoo.com) Message-ID: <20031024100238.77393.qmail@web20508.mail.yahoo.com> Received: from [24.87.98.182] by web20508.mail.yahoo.com via HTTP; Fri, 24 Oct 2003 03:02:38 PDT Date: Fri, 24 Oct 2003 03:02:38 -0700 (PDT) From: Alhagie Puye To: Sean Hafeez , freebsd-ipfw@freebsd.org In-Reply-To: <2417D2D4-0589-11D8-BDAD-003065F1EE08@edgefocus.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Shaping a lot of users... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 10:02:41 -0000 I have a similar setup and this is what my firewall script look like: # EVERYBODY "DOWN" add queue 1 ip from any to 192.168.42.0/27 queue 1 config weight 1 pipe 1 mask dst-ip 0xffffffff pipe 1 config bw 1500Kbit/s # # EVERYBODY "UP" add queue 2 ip from 192.168.42.0/27 to any queue 2 config weight 1 pipe 2 mask src-ip 0xffffffff pipe 2 config bw 400Kbit/s The output looks like this: firewall# ipfw pipe list 00001: 1.500 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00002: 400.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00001: weight 1 pipe 1 50 sl. 3 queues (256 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 79 ip 0.0.0.0/0 192.168.42.31/0 1 229 0 0 0 81 ip 0.0.0.0/0 192.168.42.1/0 103 6958 0 0 0 82 ip 0.0.0.0/0 192.168.42.2/0 95 27837 0 0 0 q00002: weight 1 pipe 2 50 sl. 2 queues (256 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 170 ip 192.168.42.1/0 0.0.0.0/0 68 10862 0 0 0 172 ip 192.168.42.2/0 0.0.0.0/0 164 13563 0 0 0 Hope this helps. Cheers, Alhagie. --- Sean Hafeez wrote: > I am using the following: > > ipfw -f flush > /sbin/natd -interface rl0 > ipfw add 999 divert natd all from any to any via rl0 > ipfw add pipe 1 ip from any to any in recv rl1 > ipfw add pipe 2 ip from any to any out xmit rl1 > ipfw pipe 1 config mask src-ip 0xffffffff bw > 1024kbits/s > ipfw pipe 2 config mask dst-ip 0xffffffff bw > 1024kbits/s > > rl0 - outside > rl1 - inside > > and I have this is my sysctl.conf > > net.inet.ip.fw.one_pass=0 > net.inet.ip.dummynet.hash_size=512 > net.inet.ip.dummynet.max_chain_len=64 > > This seems to work great for limiting each user to a > max of 1 meg up > and down. > > What I want to know is how do I do the same thing > but shape the users > to have EQUAL bandwidth in times of load. What I > mean is this: > > Each unique IP address on the inside > (192.168.1.x/22) is limited to a > max of 1 meg. If there is a hugh load that exceeds > my internet > bandwidth (2 T1's - so 3 megs) I would like each > users to get the same > amount of bandwidth - 30 users all getting 100k. I > would like it to > adjust based on the load. > > I have looked at the docs and example but I am a bit > confused. > > Also we need to be careful not to shape the BSD box > itself - I have > seen some rules that screw things up because they > shape the shaping > box!! > > Thanks All! > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com