From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 23 11:05:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8748316A4CF for ; Sun, 23 Nov 2003 11:05:03 -0800 (PST) Received: from fed1mtao04.cox.net (fed1mtao04.cox.net [68.6.19.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFBE543FB1 for ; Sun, 23 Nov 2003 11:05:02 -0800 (PST) (envelope-from sahafeez@edgefocus.com) Received: from [192.168.64.100] ([68.4.168.164]) by fed1mtao04.cox.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP id <20031123190502.OLFP3905.fed1mtao04.cox.net@[192.168.64.100]> for ; Sun, 23 Nov 2003 14:05:02 -0500 Mime-Version: 1.0 (Apple Message framework v606) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-ipfw@freebsd.org From: Sean Hafeez Date: Sun, 23 Nov 2003 11:05:04 -0800 X-Mailer: Apple Mail (2.606) Subject: Shaping 2 types of traffic? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2003 19:05:03 -0000 I am currently shaping all outbound and inbound user to 1mb via this: ipfw add 999 divert natd all from any to any via rl0 ipfw add pipe 1 ip from any to any in recv rl1 ipfw add pipe 2 ip from any to any out xmit rl1 ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s rl0 is the external interface and rl1 in the internal. Now what I would like to do is apply a different shaping for ICMP traffic while still limiting everyones individual total to 1mb. The reason for this is that we are having virus issues and I want to shape all ICMP to 64k vs. blocking it all. Thanks! From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 24 08:59:53 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34B2216A4CE for ; Mon, 24 Nov 2003 08:59:53 -0800 (PST) Received: from msresearch.ma.cx (D8d81.d.pppool.de [80.184.141.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC39043F93 for ; Mon, 24 Nov 2003 08:59:50 -0800 (PST) (envelope-from root@msresearch.ma.cx) Received: from msresearch.ma.cx (localhost.msresearch.org [127.0.0.1]) by msresearch.ma.cx (8.12.10/8.12.10) with ESMTP id hAOGqird052943; Mon, 24 Nov 2003 17:52:45 +0100 (CET) (envelope-from root@msresearch.ma.cx) Received: (from root@localhost) by msresearch.ma.cx (8.12.10/8.12.10/Submit) id hAOGqguu052942; Mon, 24 Nov 2003 17:52:42 +0100 (CET) (envelope-from root) Date: Mon, 24 Nov 2003 17:52:41 +0100 From: michael To: Vahric MUHTARYAN Message-ID: <20031124165241.GA51830@brenner.msresearch.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i cc: freebsd-ipfw@FreeBSD.ORG Subject: ipfw samples, help follows..... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2003 16:59:53 -0000 http://msresearch.ma.cx/ipfw EHLO @ALL, last week i have sayed, that i would make an page for ipfw-samples and related. Now it's time to say yes it's work.. At this time please excuse me, i be a little bit busy... i have created only a Directory with the first samples...time.... this is the first step.... later follows scripts with accounting, very simple may useful client-firewall, descriptions over rules, nat/dnat.... if my time give it later i will putting here configurations from servers (not real, may the way to have an...server with...goes to ...) i will make howto's for useful systems, may *wake up* i can not do anything! I will only support questions related to FreeBSD, no other *nix *nux *bsd *BSD! And never never never i give at this point support for M$-Products... ... these may are good things }8-) , but not for me! back to the reality.... http://msresearch.ma.cx/ipfw at this time i must build a new Firewall.... the scripts can be found on the link above. my contact for quuestions or help or or or... michael@nettmail.de best regards michael From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 24 10:42:06 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52DC516A4CE; Mon, 24 Nov 2003 10:42:06 -0800 (PST) Received: from mail.alkar.net (mail.alkar.net [195.248.191.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id F183E43FF9; Mon, 24 Nov 2003 10:42:02 -0800 (PST) (envelope-from mav@alkar.net) Received: from [195.248.178.122] (HELO alkar.net) by mail.alkar.net (CommuniGate Pro SMTP 4.1.8) with ESMTP id 123315126; Mon, 24 Nov 2003 20:42:01 +0200 Message-ID: <3FC250FC.6090504@alkar.net> Date: Mon, 24 Nov 2003 20:42:04 +0200 From: Alexander Motin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030827 X-Accept-Language: ru, uk, en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org References: <3FBCCA12.1000906@alkar.net.lucky.freebsd.ipfw> In-Reply-To: <3FBCCA12.1000906@alkar.net.lucky.freebsd.ipfw> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Is this a bug? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2003 18:42:06 -0000 Hi! Alexander Motin wrote: > I have one strange problem with dummynet & IP fragmentation. > > I have FreeBSD 4.8-RELEASE router with few interfaces: > em0: flags=8843 mtu 1500 > options=3 > inet 195.248.191.172 netmask 0xffffffc0 broadcast 195.248.191.191 > ether 00:30:48:20:8e:7e > media: Ethernet autoselect (1000baseTX ) > status: active > ng4: flags=88d1 mtu 1492 > inet 195.248.191.172 --> 212.86.231.58 netmask 0xffffffff > > Interface ng4 have MTU 1492 because it is PPPoE link. > When I do not use dummynet on router and somebody send a big > (>1492bytes) packet to 212.86.231.58 with DontFragment flag set router > generates ICMP reply message (Fragmentation Needed). This is correct. > > But when I use dummynet on that interface: > 10170 pipe 10009 ip from any to any out xmit ng4 > 10175 allow ip from any to any via ng4 > > 10009: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 udp 195.248.191.65/53 212.86.231.58/1118 50965 28380582 0 > 0 143 > > router stops sending that ICMP messages. Pipe is not overflowed at that > tme, it is empty. I recheck this on other router on Ethernet (rl0) interface. When I set MTU 1400 on rl0 interface I could see generated ICMP messages: 20:27:23.660470 dp3-w-com.alkar.net.ftp-data > pc.mavhome.dp.ua.1100: . 1027:2487(1460) ack 1 win 58400 (DF) 20:27:23.660580 router.mavhome.dp.ua > dp3-w-com.alkar.net: icmp: pc.mavhome.dp.ua unreachable - need to frag (mtu 1400) (DF) But when I configure outgoing pipe on this interface: ipfw pipe 2 config bw 64kbit/s ipfw add 1000 pipe 2 all from any to any out via rl0 I got problem: 20:29:32.778561 DP6-W-CUS.alkar.net.4522 > pc.mavhome.dp.ua.1103: . 1025:2485(1460) ack 1 win 58400 (DF) 20:29:35.080903 DP6-W-CUS.alkar.net.4522 > pc.mavhome.dp.ua.1103: . 1025:2485(1460) ack 1 win 58400 (DF) 20:29:39.274113 DP6-W-CUS.alkar.net.4522 > pc.mavhome.dp.ua.1103: . 1025:2485(1460) ack 1 win 58400 (DF) 20:29:47.306847 DP6-W-CUS.alkar.net.4522 > pc.mavhome.dp.ua.1103: . 1025:2485(1460) ack 1 win 58400 (DF) Hey, Developers! Where are you? Can anybody comment this? -- Alexander Motin From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 24 11:04:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2EC6816A4CF for ; Mon, 24 Nov 2003 11:04:17 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E0BF44042 for ; Mon, 24 Nov 2003 11:01:50 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id hAOJ1oFY056535 for ; Mon, 24 Nov 2003 11:01:50 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id hAOJ1nO3056529 for ipfw@freebsd.org; Mon, 24 Nov 2003 11:01:49 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 24 Nov 2003 11:01:49 -0800 (PST) Message-Id: <200311241901.hAOJ1nO3056529@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2003 19:04:17 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 1 problem total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 24 18:44:36 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE3C716A4CE for ; Mon, 24 Nov 2003 18:44:36 -0800 (PST) Received: from mail.homepagesetc.com (66-140-194-76.ded.swbell.net [66.140.194.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8400743FB1 for ; Mon, 24 Nov 2003 18:44:35 -0800 (PST) (envelope-from damon@homepagesetc.com) Received: from [12.147.42.51] (HELO DAMONSLAPTOP) by mail.homepagesetc.com (CommuniGate Pro SMTP 3.5.9) with ESMTP id 3620187 for freebsd-ipfw@freebsd.org; Mon, 24 Nov 2003 20:45:30 -0600 From: "Damon" To: Date: Mon, 24 Nov 2003 20:51:06 -0600 Message-ID: <001301c3b2fe$fa6a8cb0$6503a8c0@ourcomputershop.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: ipfw2 + dummynet : using bw and queues X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2003 02:44:37 -0000 I want to be able to do the follow and need some help creating rules I want traffic to be limited for each individual ip. The amount of bandwidth is determined by a level of service For Example: # Bandwidth pipes ipfw pipe 10 config mask src-ip 0xffffffff bw 256kbits/s ipfw pipe 11 config mask dst-ip 0xffffffff bw 128kbits/s ipfw pipe 20 config mask src-ip 0xffffffff bw 384kbits/s ipfw pipe 21 config mask dst-ip 0xffffffff bw 384kbits/s ipfw pipe 30 config mask src-ip 0xffffffff bw 512kbits/s ipfw pipe 31 config mask dst-ip 0xffffffff bw 512kbits/s # Create traffic filters for Tier 3 IPs ipfw add pipe 30 tcp from any to 1.2.3.0/24{51,52} out xmit ${outintf} ipfw add pipe 31 tcp from 1.2.3.0/24{51,52} to any in recv ${outintf} # Create traffic filters for Tier 2 IPs ipfw add pipe 20 tcp from any to 1.2.3.0/24{61,62} out xmit ${outintf} ipfw add pipe 21 from 1.2.3.0/24{61,62} to any in recv ${outintf} # Create traffic filters for Tier 1 IPs ipfw add pipe 10 tcp from any to 1.2.3.0/24{71,72} out xmit ${outintf} ipfw add pipe 11 tcp from 1.2.3.0/24{71,72} to any in recv ${outintf} Does that config look reasonable to everyone? Is there a was to limit total bw up/down using one pipe for each tier? Now I also want to throttle certain type of traffic which I will identify using port numbers. For Example: # high-priority queues ipfw queue 90 config pipe 10 weight 90 # low priority queue ipfw queue 10 config pipe 10 weight 10 # Bandwidth pipe ipfw pipe 10 config bw 1500kbits/s // Define High Prioriry Traffic // SSH 22 // DNS 53 // Windows Remote Desktop 3389 HighPriorityPorts="22,53,3389" # Create traffic filters for high priority queues ipfw add queue 90 tcp from any to any ${HighPriorityPorts} out xmit ${outintf} ipfw add queue 90 tcp from any ${HighPriorityPorts} to any in recv ${outintf} // Define Low Priority Traffic // Several file sharing networks 6346 // Kazaa 1214 // GNUtella 6346,6347 // Napster 8875 // Hotline 5500-5503 // SoulSeek 2234,5534 LowPriorityPorts="6969,6346,6347,5500-5503,2234,5534,1214,8875" # Create traffic filters for low priority queues ipfw add queue 10 tcp from any to any ${LowPriorityPorts} out xmit ${outintf} ipfw add queue 10 tcp from any ${LowPriorityPorts} to any in recv ${outintf} Does this also look reasonable? Real Question : I want a way to do both types of traffic shaping. Suggestions are welcome. I would like to be able to limit each user to their tier but also if the TOTAL bw (not just this users) gets near capacity the queue will start to prioritize traffic. Thanks in advance and sorry for the long post. I will post the resulting config file when we get a reasonable solution. Damon From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 25 02:25:54 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48E4916A4CE; Tue, 25 Nov 2003 02:25:54 -0800 (PST) Received: from smtp.doruk.net.tr (smtp.doruk.net.tr [212.58.5.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A18043FE0; Tue, 25 Nov 2003 02:25:52 -0800 (PST) (envelope-from vahric@doruk.net.tr) Received: from VAHOXP (vahric.doruk.net.tr [212.58.13.17]) by smtp.doruk.net.tr (8.12.8/8.12.8) with ESMTP id hAPAcEXK023663; Tue, 25 Nov 2003 12:38:14 +0200 From: "Vahric MUHTARYAN" To: , Date: Tue, 25 Nov 2003 12:25:39 +0200 Message-ID: <002f01c3b33e$793c3900$110d3ad4@VAHOXP> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: About setup and established Questions and log tracking Program X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2003 10:25:54 -0000 Hi Everybody , I'm newly using ipfw ... I have some quesitions about ipfw configuration .. I'm maked changes on defult configuration in rc.firewall for simple type but I don't understand something ... # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${ip} 25 setup I checked man page of ipfw ; setup matches packets have SYN bit or not .... Upper rule is accepting setuped connections that ok ( please correct if I wrong ) Question is Why I need to set setup options on secound rule ... I mean I must to open 25 ( smtp port ) to all What is the setup option role ... Vahric From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 25 01:31:09 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 022FB16A4CE for ; Tue, 25 Nov 2003 01:31:09 -0800 (PST) Received: from f20.mail.ru (f20.mail.ru [194.67.57.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3258943FDF for ; Tue, 25 Nov 2003 01:31:08 -0800 (PST) (envelope-from vanyushenkov@mail.ru) Received: from mail by f20.mail.ru with local id 1AOZXG-0007m8-00 for freebsd-ipfw@freebsd.org; Tue, 25 Nov 2003 12:31:06 +0300 Received: from [193.233.48.103] by win.mail.ru with HTTP; Tue, 25 Nov 2003 12:31:06 +0300 From: =?koi8-r?Q?=22?=al vanyushenkov=?koi8-r?Q?=22=20?= To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [193.233.48.103] Date: Tue, 25 Nov 2003 12:31:06 +0300 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: X-Mailman-Approved-At: Tue, 25 Nov 2003 04:50:30 -0800 Subject: gray network and ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: =?koi8-r?Q?=22?=al vanyushenkov=?koi8-r?Q?=22=20?= List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2003 09:31:09 -0000 hi all i have freebsd 4.8 installed and i use ipfw2 with the rules #!/bin/sh fwcmd=/sbin/ipfw ${fwcmd} -f flush #!/bin/sh ipfw='/sbin/ipfw' $ipfw -f flush $ipfw add divert natd all from any to any via ppp0 $ipfw add allow log all from any to any my local ethernet card has 192.168.133.7 ip address and my ppp0 interface has 217.15.x.x ip address. when i tried to connect to 195.54.192.44:21 from my local box i got the lines Accept TCP 172.16.202.106:4802 195.54.192.44:21 out via ppp0 Accept TCP 195.54.192.44:21 172.16.202.106:4802 in via ppp0 and so on. as i know 172.16.0.0 are gray addresses and i haven't got any 172.16.x.x networks in my environment. Could anybody tell me what 172.16.202.106:4802 does in my log file. Thanks vanyushenkov al From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 25 06:45:19 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31B0E16A4CE; Tue, 25 Nov 2003 06:45:19 -0800 (PST) Received: from smtp.doruk.net.tr (smtp.doruk.net.tr [212.58.5.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id 935E543FBD; Tue, 25 Nov 2003 06:45:17 -0800 (PST) (envelope-from vahric@doruk.net.tr) Received: from VAHOXP (vahric.doruk.net.tr [212.58.13.17]) by smtp.doruk.net.tr (8.12.8/8.12.8) with ESMTP id hAPEvgXK029964; Tue, 25 Nov 2003 16:57:42 +0200 From: "Vahric MUHTARYAN" To: , Date: Tue, 25 Nov 2003 16:45:05 +0200 Message-ID: <007401c3b362$b6e984f0$110d3ad4@VAHOXP> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: ICMP_BANDLIM and TCP_DROP_SYNFIN ?! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2003 14:45:19 -0000 Hi Everybody I red ipfw documents and I saw that "TCP_DROP_SYNFIN is not recommended for web server" no any explanation about it ?! Do you have any idea for why ?! ICMP_BANDLIM in documents ; "Enable icmp error response bandwith limiting . This will protect from D.O.S. packets attacks" --> Does it means all type of ICMP attacks ?! or another thing if I drope all icmp traffic Do I need to use it ?! Vahric From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 25 06:55:02 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E668F16A4CE for ; Tue, 25 Nov 2003 06:55:02 -0800 (PST) Received: from cultdeadsheep.org (charon.cultdeadsheep.org [80.65.226.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 46C0543FCB for ; Tue, 25 Nov 2003 06:54:59 -0800 (PST) (envelope-from sheepkiller@cultdeadsheep.org) Received: (qmail 80044 invoked by uid 85); 25 Nov 2003 15:54:57 +0100 Received: from sheepkiller@cultdeadsheep.org by goofy.cultdeadsheep.org by uid 82 with qmail-scanner-1.20rc2 ( Clear:RC:1:. Processed in 0.070857 secs); 25 Nov 2003 14:54:57 -0000 Received: from unknown (HELO persephone.cultdeadsheep.org) (192.168.0.8) by goofy.cultdeadsheep.org with SMTP; 25 Nov 2003 15:54:55 +0100 Received: (qmail 19033 invoked from network); 25 Nov 2003 15:54:42 +0100 Received: from unknown (HELO lucifer.cultdeadsheep.org) (192.168.0.2) by persephone.cultdeadsheep.org with DES-CBC3-SHA encrypted SMTP; 25 Nov 2003 15:54:42 +0100 Date: Tue, 25 Nov 2003 15:55:11 +0100 From: Clement Laforet To: "Vahric MUHTARYAN" Message-Id: <20031125155511.170cf7d0.sheepkiller@cultdeadsheep.org> In-Reply-To: <007401c3b362$b6e984f0$110d3ad4@VAHOXP> References: <007401c3b362$b6e984f0$110d3ad4@VAHOXP> Organization: tH3 cUlt 0f tH3 d3@d sH33p X-Mailer: Sylpheed version 0.9.7 (GTK+ 1.2.10; i386-portbld-freebsd5.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org cc: freebsd-questions@freebsd.org Subject: Re: ICMP_BANDLIM and TCP_DROP_SYNFIN ?! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2003 14:55:03 -0000 On Tue, 25 Nov 2003 16:45:05 +0200 "Vahric MUHTARYAN" wrote: > Hi Everybody > > I red ipfw documents and I saw that "TCP_DROP_SYNFIN is not > recommended for web server" no any explanation about it ?! Do you have > any idea for why ?! http://docs.freebsd.org/cgi/getmsg.cgi?fetch=20365+0+archive/2001/freebsd-security/20011223.freebsd-security clem From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 25 07:57:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DDDA16A4CE; Tue, 25 Nov 2003 07:57:27 -0800 (PST) Received: from smtp.doruk.net.tr (smtp.doruk.net.tr [212.58.5.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B04643FE3; Tue, 25 Nov 2003 07:57:25 -0800 (PST) (envelope-from vahric@doruk.net.tr) Received: from VAHOXP (vahric.doruk.net.tr [212.58.13.17]) by smtp.doruk.net.tr (8.12.8/8.12.8) with ESMTP id hAPG9oXK031555; Tue, 25 Nov 2003 18:09:51 +0200 From: "Vahric MUHTARYAN" To: , Date: Tue, 25 Nov 2003 17:57:12 +0200 Message-ID: <009601c3b36c$ca73c350$110d3ad4@VAHOXP> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: Protecting HTTP Server from D.O.S attacks and Log Watching X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2003 15:57:27 -0000 Hi Everybody , I want to protect my Web Server from D.O.S attacks like people make a too many conncection to my web server for buffer overflow example . if I use limit option of ipfw Does it possible or Does it true way to protect . For example : #ipfw add allow tcp from any to me 80 setup keep-state limit src-addr 30 and Do you know any ipfw log analizer instead of sawmill ?! Sawmill can findout all entries but I think I have a problem with log format or another thing because I can't any clear information ?! Thanks ... Vahric From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 25 09:11:47 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEAB716A4CE; Tue, 25 Nov 2003 09:11:47 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93BFF43FE3; Tue, 25 Nov 2003 09:11:46 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.24; FreeBSD) id 1AOgj0-000Byw-DX; Tue, 25 Nov 2003 17:11:42 +0000 Date: Tue, 25 Nov 2003 17:11:42 +0000 From: Jez Hancock To: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Message-ID: <20031125171142.GA45539@users.munk.nu> Mail-Followup-To: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org References: <009601c3b36c$ca73c350$110d3ad4@VAHOXP> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <009601c3b36c$ca73c350$110d3ad4@VAHOXP> User-Agent: Mutt/1.4.1i Sender: User Munk Subject: Re: Protecting HTTP Server from D.O.S attacks and Log Watching X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2003 17:11:47 -0000 On Tue, Nov 25, 2003 at 05:57:12PM +0200, Vahric MUHTARYAN wrote: > I want to protect my Web Server from D.O.S attacks like people > make a too many conncection to my web server for buffer overflow example > . > if I use limit option of ipfw Does it possible or Does it true way to > protect . > > For example : > > #ipfw add allow tcp from any to me 80 setup keep-state limit src-addr 30 You could also use an apache module such as mod_throttle or mod_bwshare to throttle incoming connections to the httpd - presuming you're using apache. mod_throttle is in ports, mod_bwshare isn't. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 26 12:43:45 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD85B16A4CE for ; Wed, 26 Nov 2003 12:43:45 -0800 (PST) Received: from mail.anteva.net (smtp.anteva.net [209.63.222.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 700B443FBF for ; Wed, 26 Nov 2003 12:43:44 -0800 (PST) (envelope-from freebsd@itpsg.com) Received: from localhost (fury.anteva.net [127.0.0.1]) by localhost (Postfix) with ESMTP id AE37F82DA9 for ; Wed, 26 Nov 2003 13:43:43 -0700 (MST) Received: from mail.anteva.net ([209.63.222.5]) by localhost (fury.anteva.net [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 31694-01 for ; Wed, 26 Nov 2003 13:43:43 -0700 (MST) Received: from VECTOR (unknown [204.176.204.140]) by mail.anteva.net (Postfix) with SMTP id B371782D96 for ; Wed, 26 Nov 2003 13:43:42 -0700 (MST) Message-ID: <054c01c3b45d$d0cc8b50$fe3d10ac@VECTOR> From: "Vector" To: Date: Wed, 26 Nov 2003 13:42:31 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Virus-Scanned: by amavisd-new at anteva.net Subject: multiple pipes cause slowdown X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Nov 2003 20:43:45 -0000 I've got a FreeBSD system setup and I'm using dummynet to manage bandwidth. Here is what I am seeing: We are communicating with a server on a 100Mbit ethernet segment in the freebsd box as fxp0 and an 11Mbit wireless client that is getting throttled with ipfw pipes. If I add two pipes limiting my two clients A and B to 1Mbit each then here is what happens. Client A does a transfer to/from the server and gets 1Mbps up and 1Mbps down Client B does a transfer to/from the server and gets 1Mbps up and 1Mbps down Clients A & B do simultaneous transfers to the server and each get between 670 and 850 Kbps If I delete the pipes and the firewall rules, they behave like regular 11Mbit unthrottled clients sharing the available wireless bandwidth (although not necessarily equally). It gets worse when I start doing 3 or 4 clients each at 1Mbit, I've also tried setting up 4 clients at 512Kbps and the performance does the same thing, essentially gets cut significantly the more pipes we have. Here are the rules I'm using: ipfw add 100 pipe 100 all from any to 192.168.1.50 xmit wi0 ipfw add 100 pipe 5100 all from 192.168.1.50 to any recv wi0 ipfw pipe 100 config bw 1024Kbits/s ipfw pipe 5100 config bw 1024Kbits/s ipfw add 101 pipe 101 all from any to 192.168.1.51 xmit wi0 ipfw add 101 pipe 5101 all from 192.168.1.51 to any recv wi0 ipfw pipe 101 config bw 1024Kbits/s ipfw pipe 5101 config bw 1024Kbits/s I've played with using in/out instead of recv/xmit and even not specifying a direction at all (which makes traffic to the client get cut in half but traffic from the client remains as high as if I specify which interface to throttle on). ipfw pipe list shows no dropped packets and looks like it's behaving normally, other than the slowdown for multiple clients. I'm not specifying a delay and latency does not seem abnormally high. I am using 5.0 Release and I have HZ=1000 compiled in the kernel. Here are my sysctl vars: net.inet.ip.fw.enable: 1 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 0 net.inet.ip.fw.debug: 0 net.inet.ip.fw.verbose: 0 net.inet.ip.fw.verbose_limit: 1 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 2 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.static_count: 72 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_keepalive: 1 net.link.ether.bridge_ipfw: 0 net.link.ether.bridge_ipfw_drop: 0 net.link.ether.bridge_ipfw_collisions: 0 net.link.ether.bdg_fw_avg: 0 net.link.ether.bdg_fw_ticks: 0 net.link.ether.bdg_fw_count: 0 net.link.ether.ipfw: 0 net.inet6.ip6.fw.enable: 0 net.inet6.ip6.fw.debug: 0 net.inet6.ip6.fw.verbose: 0 net.inet6.ip6.fw.verbose_limit: 1 net.inet.ip.dummynet.hash_size: 64 net.inet.ip.dummynet.curr_time: 99067502 net.inet.ip.dummynet.ready_heap: 16 net.inet.ip.dummynet.extract_heap: 16 net.inet.ip.dummynet.searches: 0 net.inet.ip.dummynet.search_steps: 0 net.inet.ip.dummynet.expire: 1 net.inet.ip.dummynet.max_chain_len: 16 net.inet.ip.dummynet.red_lookup_depth: 256 net.inet.ip.dummynet.red_avg_pkt_size: 512 net.inet.ip.dummynet.red_max_pkt_size: 1500 Am I just doing something stupid or does the dummynet/QoS implementation in FreeBSD need some work. If so, I may be able to help and contribute. Thanks, vec From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 28 02:21:22 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3E5B16A4CE for ; Fri, 28 Nov 2003 02:21:21 -0800 (PST) Received: from cisovanet.pl (toudi.cisovanet.pl [212.160.158.193]) by mx1.FreeBSD.org (Postfix) with SMTP id 4D83A43FAF for ; Fri, 28 Nov 2003 02:21:20 -0800 (PST) (envelope-from robert@toudi.cisovanet.pl) Received: (qmail 35678 invoked from network); 28 Nov 2003 10:21:21 -0000 Received: from unknown (HELO toudi.cisovanet.pl) (212.160.158.193) by 0 with SMTP; 28 Nov 2003 10:21:21 -0000 Received: (from robert@localhost) by toudi.cisovanet.pl (8.12.6/8.12.6/Submit) id hASALL9k035676 for freebsd-ipfw@freebsd.org; Fri, 28 Nov 2003 11:21:21 +0100 (CET) Date: Fri, 28 Nov 2003 11:21:20 +0100 From: Robert Krasicki To: freebsd-ipfw@freebsd.org Message-ID: <20031128102120.GB34837@toudi.cisovanet.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: bridge problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2003 10:21:22 -0000 Hello, I have a problem with bridge & outgoing traffic. Exactly, I can't get ipfw controlling my outgoing traffic from box acting as a router. eg. My external net: 219.122.12.144/28 FreeBSD box router IP: 219.122.12.146 (see ifconfig below) Rules: --- ipfw add 100 allow ip from not 219.122.12.144/28 to me in (the above one works fine). I am able to control incoming traffic. ipfw add 101 allow ip from me to any out (ipfw is ignoring this rule.. no traffic is controlled by this one) ipfw add 102 allow ip from 219.122.12.144/28 to not 219.122.12.144/28 out (failed, ipfw is ignoring this rule too.. By this rule I meant to controll traffic from bridged LAN users to Internet) I found out that I can achieve the same by: ipfw add 102 allow ip from 219.122.12.144/28 to not 219.122.12.144/28 in via bge0 (It works, so now I controll incoming traffic from users via bge0). other rules go here ... The rules are in order as I wrote above. rule # 100 is the first rule ..(excluding lo ones) That's ok, but what If I want to control the outgoing traffic from (eg. Web Service) on 219.122.12.146 ? T My settings are as follows: OS: --- FreeBSD box.foo.com 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #1: Sysctls: --- net.inet.ip.fw.one_pass: 1 net.link.ether.bridge_ipfw: 1 net.link.ether.bridge_ipfw_drop: 0 net.link.ether.bridge_ipfw_collisions: 0 net.link.ether.ipfw: 1 net.link.ether.bridge_cfg: bge0:1,ed0:1 net.link.ether.bridge: 1 net.link.ether.bridge_ipfw: 1 net.link.ether.bridge_ipf: 0 net.link.ether.bridge_ipfw_drop: 0 net.link.ether.bridge_ipfw_collisions: 0 Kernel options: --- options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=200 options IPDIVERT options DUMMYNET options HZ=1000 options IPFIREWALL_DEFAULT_TO_ACCEPT ed0: flags=8943 mtu 1500 inet6 ff80::2d1:23ff:feef:3ad1%ed0 prefixlen 64 scopeid 0x1 inet 219.122.12.146 netmask 0xfffffff0 broadcast 219.122.12.159 inet 219.122.12.149 netmask 0xffffffff broadcast 219.122.12.149 ether 00:c0:26:ef:3a:d4 bge0: flags=8943 mtu 1500 options=1b inet6 fe80::20c:6eff:fe0f:7a6b%bge0 prefixlen 64 scopeid 0x2 ether 00:0c:6e:0f:7a:6b media: Ethernet autoselect (100baseTX ) status: active Thank you for help! Best Regards, Jarek From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 28 08:09:14 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7186716A4CE for ; Fri, 28 Nov 2003 08:09:14 -0800 (PST) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3799343FA3 for ; Fri, 28 Nov 2003 08:09:13 -0800 (PST) (envelope-from nowan3@comcast.net) Received: from comcast.net (c-24-10-201-100.client.comcast.net[24.10.201.100]) by comcast.net (rwcrmhc11) with SMTP id <2003112816091201300dubr4e> (Authid: nowan3); Fri, 28 Nov 2003 16:09:12 +0000 Message-ID: <3FC77330.7010702@comcast.net> Date: Fri, 28 Nov 2003 09:09:20 -0700 From: Nolan Orwan User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20031128102120.GB34837@toudi.cisovanet.pl> In-Reply-To: <20031128102120.GB34837@toudi.cisovanet.pl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: bridge problem II X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2003 16:09:14 -0000 I also have a bridge/firewall problem that I can't figure out. My bridge/firewall box has two interface cards (NICs), one facing in and the other facing out. The inside NIC has an ip address of 10.1.1.10 and the outside one does not. Bridging works fine as between the inside subnet and the outside, meaning that boxes on the inside can communicate through the bridge to the outside and also communicate with the bridge/firewall box via its inside NIC. The problem is I can't figure out what ipfw rule or rules will allow the inside NIC to send and receive traffic to the outside. Can this even be done? Tim P.S. I'm using the generic 4.8 kernel with its standard ipfw, dummynet, and bridge kernel modules. From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 28 14:44:34 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B745216A4CE for ; Fri, 28 Nov 2003 14:44:34 -0800 (PST) Received: from mx01.bos.ma.towardex.com (a65-124-16-8.svc.towardex.com [65.124.16.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A25343F93 for ; Fri, 28 Nov 2003 14:44:33 -0800 (PST) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 317162F92A; Fri, 28 Nov 2003 17:44:36 -0500 (EST) Date: Fri, 28 Nov 2003 17:44:36 -0500 From: Haesu To: Vector , freebsd-ipfw@freebsd.org Message-ID: <20031128224436.GA97746@scylla.towardex.com> References: <054c01c3b45d$d0cc8b50$fe3d10ac@VECTOR> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <054c01c3b45d$d0cc8b50$fe3d10ac@VECTOR> User-Agent: Mutt/1.4.1i Subject: Re: multiple pipes cause slowdown X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2003 22:44:34 -0000 try doing src-port 0xFFFF ? -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | haesu@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN On Wed, Nov 26, 2003 at 01:42:31PM -0700, Vector wrote: > I've got a FreeBSD system setup and I'm using dummynet to manage bandwidth. > Here is what I am seeing: > > We are communicating with a server on a 100Mbit ethernet segment in the > freebsd box as fxp0 and an 11Mbit wireless client that is getting throttled > with ipfw pipes. > If I add two pipes limiting my two clients A and B to 1Mbit each then here > is what happens. > > Client A does a transfer to/from the server and gets 1Mbps up and 1Mbps down > Client B does a transfer to/from the server and gets 1Mbps up and 1Mbps down > Clients A & B do simultaneous transfers to the server and each get between > 670 and 850 Kbps > > If I delete the pipes and the firewall rules, they behave like regular > 11Mbit unthrottled clients sharing the available wireless bandwidth > (although not necessarily equally). > > It gets worse when I start doing 3 or 4 clients each at 1Mbit, I've also > tried setting up 4 clients at 512Kbps and the performance does the same > thing, essentially gets cut significantly the more pipes we have. Here are > the rules I'm using: > > ipfw add 100 pipe 100 all from any to 192.168.1.50 xmit wi0 > ipfw add 100 pipe 5100 all from 192.168.1.50 to any recv wi0 > ipfw pipe 100 config bw 1024Kbits/s > ipfw pipe 5100 config bw 1024Kbits/s > > ipfw add 101 pipe 101 all from any to 192.168.1.51 xmit wi0 > ipfw add 101 pipe 5101 all from 192.168.1.51 to any recv wi0 > ipfw pipe 101 config bw 1024Kbits/s > ipfw pipe 5101 config bw 1024Kbits/s > > I've played with using in/out instead of recv/xmit and even not specifying a > direction at all (which makes traffic to the client get cut in half but > traffic from the client remains as high as if I specify which interface to > throttle on). ipfw pipe list shows no dropped packets and looks like it's > behaving normally, other than the slowdown for multiple clients. I'm not > specifying a delay and latency does not seem abnormally high. > > I am using 5.0 Release and I have HZ=1000 compiled in the kernel. > Here are my sysctl vars: > net.inet.ip.fw.enable: 1 > net.inet.ip.fw.autoinc_step: 100 > net.inet.ip.fw.one_pass: 0 > net.inet.ip.fw.debug: 0 > net.inet.ip.fw.verbose: 0 > net.inet.ip.fw.verbose_limit: 1 > net.inet.ip.fw.dyn_buckets: 256 > net.inet.ip.fw.curr_dyn_buckets: 256 > net.inet.ip.fw.dyn_count: 2 > net.inet.ip.fw.dyn_max: 4096 > net.inet.ip.fw.static_count: 72 > net.inet.ip.fw.dyn_ack_lifetime: 300 > net.inet.ip.fw.dyn_syn_lifetime: 20 > net.inet.ip.fw.dyn_fin_lifetime: 1 > net.inet.ip.fw.dyn_rst_lifetime: 1 > net.inet.ip.fw.dyn_udp_lifetime: 10 > net.inet.ip.fw.dyn_short_lifetime: 5 > net.inet.ip.fw.dyn_keepalive: 1 > net.link.ether.bridge_ipfw: 0 > net.link.ether.bridge_ipfw_drop: 0 > net.link.ether.bridge_ipfw_collisions: 0 > net.link.ether.bdg_fw_avg: 0 > net.link.ether.bdg_fw_ticks: 0 > net.link.ether.bdg_fw_count: 0 > net.link.ether.ipfw: 0 > net.inet6.ip6.fw.enable: 0 > net.inet6.ip6.fw.debug: 0 > net.inet6.ip6.fw.verbose: 0 > net.inet6.ip6.fw.verbose_limit: 1 > > > net.inet.ip.dummynet.hash_size: 64 > net.inet.ip.dummynet.curr_time: 99067502 > net.inet.ip.dummynet.ready_heap: 16 > net.inet.ip.dummynet.extract_heap: 16 > net.inet.ip.dummynet.searches: 0 > net.inet.ip.dummynet.search_steps: 0 > net.inet.ip.dummynet.expire: 1 > net.inet.ip.dummynet.max_chain_len: 16 > net.inet.ip.dummynet.red_lookup_depth: 256 > net.inet.ip.dummynet.red_avg_pkt_size: 512 > net.inet.ip.dummynet.red_max_pkt_size: 1500 > > Am I just doing something stupid or does the dummynet/QoS implementation in > FreeBSD need some work. If so, I may be able to help and contribute. > Thanks, > > vec > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Nov 29 03:07:43 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 413D516A4CE for ; Sat, 29 Nov 2003 03:07:43 -0800 (PST) Received: from fed1mtao05.cox.net (fed1mtao05.cox.net [68.6.19.126]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B8E943F85 for ; Sat, 29 Nov 2003 03:07:42 -0800 (PST) (envelope-from sahafeez@edgefocus.com) Received: from [192.168.64.100] ([68.4.168.164]) by fed1mtao05.cox.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP id <20031129110715.VINU9968.fed1mtao05.cox.net@[192.168.64.100]> for ; Sat, 29 Nov 2003 06:07:15 -0500 Mime-Version: 1.0 (Apple Message framework v606) To: freebsd-ipfw@freebsd.org Message-Id: <3A04E74D-225C-11D8-98F0-003065F1EE08@edgefocus.com> From: Sean Hafeez Date: Sat, 29 Nov 2003 03:07:31 -0800 X-Mailer: Apple Mail (2.606) Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: MAN page example vs. this? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Nov 2003 11:07:43 -0000 the man pages has this example: ipfw add pipe 1 ip from 192.168.2.0/24 to any out ipfw add pipe 2 ip from any to 192.168.2.0/24 in ipfw pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes ipfw pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes the man page say this does: ...is limiting the outbound traffic on a net with per-host limits, rather than per-network limits... my first question is this just outbound? seem to me that pipe 1 is the outbound limit and pipe 2 is an inbound limit? so this is a symmetric link? am i reading this wrong? second, the mask only applies to the last octet of the ip address (ff) - correct? so each host both out bound user and is upstream target (i.e. www.cnn.com)? now here is what i got from somewhere else. i am limiting each host (ip address) to 200kbits/s. rl1 is the internal interface to the users. ipfw add pipe 1 ip from any to any in recv rl1 ipfw add pipe 2 ip from any to any out xmit rl1 ipfw pipe 1 config mask src-ip 0xffffffff bw 200kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 200kbits/s are these 2 examples functionally the same? if not what is the difference? also in the first example, if the network was changed to 192.168.0.0/23, the mask would be 0x000003ff (255.255.254.0) ? it is a reverse mask like a cisco, right? thanks for your time!