From owner-freebsd-ipfw Thu Sep 26 12:38:51 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4282237B401 for ; Thu, 26 Sep 2002 12:38:46 -0700 (PDT) Received: from orion.ipt.pt (orion.dee.estt.ipt.pt [193.137.5.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C77943E77 for ; Thu, 26 Sep 2002 12:38:40 -0700 (PDT) (envelope-from laa@orion.ipt.pt) Received: from localhost (laa@localhost) by orion.ipt.pt (8.11.6/8.11.6) with ESMTP id g8QJLQS04167; Thu, 26 Sep 2002 20:21:27 +0100 (WEST) (envelope-from laa@orion.ipt.pt) Date: Thu, 26 Sep 2002 20:21:26 +0100 (WEST) From: Luis Almeida To: freebsd-ipfw@freebsd.org Cc: laa@ipt.pt Subject: dummynet traffic shaping + nat + rc.firewall ? Message-ID: <20020926201014.Q4135-100000@orion.ipt.pt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello Sorry if this mailing-list is just for developer people! Can anyone suggest the cause (or solution) for the following problem? I have setup a FreeBSD4.6.2 box to act as a gateway (NAT + IPFW with 2 NIC). I tried to use dummynet to shape the traffic and i created two pipes to control the upload and the download traffic (both pipes with same bandwith)(i am using rc.firewall file (simple) to setup the ipfw rules): ${fwcmd} add pipe 10 all from 192.168.1.0/24 to any out via ${oif} ${fwcmd} add pipe 20 all from any to 192.168.1.0/24 in via ${oif} ${fwcmd} pipe 10 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes ${fwcmd} pipe 20 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes The firewall and NAT runs is OK The problem is that i can limit the download traffic but the upload traffic is higher and not the same (it seems that the upload traffic do not pass by pipe 10) ---------------------------------------------------------------------- calypso# ipfw pipe show 00010: 200.000 Kbit/s 0 ms 20 KB 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00020: 200.000 Kbit/s 0 ms 20 KB 1 queues (64 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 51 ip 0.0.0.0/0 0.0.0.51/0 8564 1122119 0 0 43 ---------------------------------------------------------------------- Is there any right place to put those pipes on rc.firewall? (i.e. after or before the divert rule)? Is there any conflict with nat divert rule and (mask src-ip 0x000000ff) ? Thank you for your help, Bye Luis email: laa@ipt.pt ------------------------My rc.firewall firewall_type="simple" [Ss][Ii][Mm][Pp][Ll][Ee]) ############ # This is a prototype setup for a simple firewall. Configure this # machine as a named server and ntp server, and point all the machines # on the inside at this machine for those services. ############ # set these to your outside interface network and netmask and ip oif="fxp0" onet="193.137.5.0" omask="255.255.255.0" oip="193.137.5.9" # set these to your inside interface network and netmask and ip iif="fxp1" inet="192.168.1.0" imask="255.255.255.0" iip="192.168.1.1" setup_loopback # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add divert natd all from any to any via ${natd_interface} fi ;; esac # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includesRESERVED-1, #DHCP auto-configuration NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add pipe 10 all from 192.168.1.0/24 to any out via ${oif} ${fwcmd} add pipe 20 all from any to 192.168.1.0/24 in via ${oif} ${fwcmd} pipe 10 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes ${fwcmd} pipe 20 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${oip} 25 setup # Allow access to our DNS ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any # Allow access to our WWW ${fwcmd} add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from ${oip} to any 53 keep-state # Allow NTP queries out in the world ${fwcmd} add pass udp from ${oip} to any 123 keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; ----------------------------my rc.conf------------------- ---------------------------------------- defaultrouter="193.137.5.1" gateway_enable="YES" hostname="calypso.ipt.pt" ifconfig_fxp0="inet 193.137.5.9 netmask 255.255.255.0" ifconfig_fxp1="inet 192.168.1.1 netmask 255.255.255.0" kern_securelevel_enable="NO" keymap="pt.iso.acc" linux_enable="YES" nfs_reserved_port_only="YES" sendmail_enable="YES" sshd_enable="YES" usbd_enable="NO" inetd_enable="NO" firewall_enable="YES" firewall_type="simple" firewall_quiet="NO" firewall_logging="NO" firewall_flags="" natd_enable="YES" natd_interface="fxp0" natd_flags="" named_enable="YES" # --- laa secure stuff portmap_enable="NO" icmp_drop_redirect="YES" icmp_log_redirect="YES" tcp_drop_synfin="YES" -------------------------- thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message