Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Mar 2008 21:00:56 +0000
From:      "Jay L. T. Cornwall" <jay@jcornwall.me.uk>
To:        freebsd-questions@freebsd.org
Subject:   IPFW / Dummynet problem
Message-ID:  <47DC3908.2000604@jcornwall.me.uk>

next in thread | raw e-mail | index | archive | help
Hi,

My FreeBSD machine is configured as a bridge between two networks:

|-----|                                |-----|
| LAN | ---> vr0 <--bridge0--> vr1 --> | WAN |
|-----|                                |-----|

The following firewall ruleset works fine:

add 00600 allow all from any to any via vr0 keep-state
add 00610 allow tcp from any to any 22 in via vr1 setup keep-state
add 00611 allow tcp from any to any 23 in via vr1 setup keep-state
add 00612 allow tcp from any to any 113 in via vr1 setup keep-state
add 00613 allow icmp from any to any icmptypes 11
add 00620 check-state
add 00630 deny all from any to any via vr1
add 00640 allow all from 192.168.1.30 to any
add 00641 allow all from any to 192.168.1.30

I then add the following dummynet rules before these. The LAN continues
to work (queueing is only applied to the vr1 WAN interface), the WAN
continues to work from the bridge machine itself (192.168.1.30) but
outbound HTTP connections from any client on the LAN fail.

pipe 1 config bw 2Mbit/s queue 1
pipe 2 config bw 256Kbit/s queue 1
queue 1 config weight 10 pipe 1 queue 20 mask dst-ip 0xffffffff
queue 2 config weight 10 pipe 2 queue 20 mask src-ip 0xffffffff
queue 3 config weight 2 pipe 1 queue 100 mask dst-ip 0xffffffff
queue 4 config weight 2 pipe 2 queue 10 mask src-ip 0xffffffff
queue 5 config weight 1 pipe 1 queue 100 mask dst-ip 0xffffffff
queue 6 config weight 1 pipe 2 queue 10 mask src-ip 0xffffffff
add 00500 queue 1 tcp from any to any in via vr1 tcpflags ack iplen 0-52
add 00501 queue 2 tcp from any to any out via vr1 tcpflags ack iplen 0-52
add 00510 queue 3 udp from any to any in via vr1
add 00511 queue 4 udp from any to any out via vr1
add 00512 queue 3 tcp from any to any 22 in via vr1
add 00513 queue 4 tcp from any to any 22 out via vr1
add 00514 queue 3 tcp from any to any 993 in via vr1
add 00515 queue 4 tcp from any to any 993 out via vr1
add 00520 queue 5 all from any to any in via vr1
add 00521 queue 6 all from any to any out via vr1

I don't understand how queueing rules could affect the passing of any
packet, except in delay? They do seem to match the queueing rules, e.g.
rules 00520 and 00521 accumulate packets as connection attempts are
made. Outbound packets even seem to pass to the WAN, so I can only
assume it is an inbound/stateful problem?

00100  52   4548 allow ip from any to any via lo0
00200   0      0 deny ip from any to 127.0.0.0/8
00300   0      0 deny ip from 127.0.0.0/8 to any
00500  30   1420 queue 1 tcp from any to any in via vr1 tcpflags ack
iplen 0-52
00501   9    390 queue 2 tcp from any to any out via vr1 tcpflags ack
iplen 0-52
00510   2    152 queue 3 udp from any to any in via vr1
00511   7    528 queue 4 udp from any to any out via vr1
00512   0      0 queue 3 tcp from any to any dst-port 22 in via vr1
00513   0      0 queue 4 tcp from any to any dst-port 22 out via vr1
00514   0      0 queue 3 tcp from any to any dst-port 993 in via vr1
00515  18   1228 queue 4 tcp from any to any dst-port 993 out via vr1
00520  26   1988 queue 5 ip from any to any in via vr1
00521  17    964 queue 6 ip from any to any out via vr1
00600 163  10082 allow ip from any to any via vr0 keep-state
00610   0      0 allow tcp from any to any dst-port 22 in via vr1 setup
keep-state
00611   0      0 allow tcp from any to any dst-port 23 in via vr1 setup
keep-state
00612   0      0 allow tcp from any to any dst-port 113 in via vr1 setup
keep-state
00613   0      0 allow icmp from any to any icmptypes 11
00620   0      0 check-state
00630   0      0 deny ip from any to any via vr1
00640 405 102681 allow ip from 192.168.1.30 to any
00641 647  48255 allow ip from any to 192.168.1.30
65535  18   3086 deny ip from any to any

Thanks for any light you can shed on this.

-- 
Jay L. T. Cornwall
http://www.jcornwall.me.uk/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47DC3908.2000604>