Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 7 Nov 2004 18:38:25 +1100
From:      LD <ldsift-applels@yahoo.com.au>
To:        Bob Ababurko <bob@phreakout.net>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: assistance dummynet config
Message-ID:  <025C3D0D-3090-11D9-81C4-0005025E2371@yahoo.com.au>
In-Reply-To: <6.0.3.0.0.20041103152300.02238ec0@dreadlock.phreakout.net>
References:  <6.0.3.0.0.20041101123154.02265a08@mail.dc2.adelphia.net> <6.0.3.0.0.20041103152300.02238ec0@dreadlock.phreakout.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi there,

I have a question of my own which is similar to yours - but figure that 
(as you've noted) if other's questions are not being answered that I 
might also find myself answering my own questions.

So, though I'm also new to the FreeBSD world - I'll throw some food for 
thought into the mix from what I've read.

See below...

On 04/11/2004, at 8:10 AM, Bob Ababurko wrote:

>> What I am trying to accomplish with this dummynet config is give 
>> priority to udp traffic, namely dns and tcp ack's so that I can send 
>> mail to our clients announcement list, as fast and efficient as 
>> possible without congestion.  So basically, I need this machine to ba 
>> able to make dns lookups with out a problem and I need the acks to 
>> get back to my machine so that the SMTP conversation can take place 
>> with out latency.  I am not sure if I have taken all that I need into 
>> consideration, but for now I could use some constructive criticism in 
>> terms of making it better.
>>
>> Using FreeBSD 5.2.1, I have:
>>
>> /etc/sysctl.conf :
>> net.inet.ip.fw.one_pass=0
>>
>> /etc/rc.conf :
>> firewall_enable="YES"
>> firewall_script="/etc/rc.dummynet"
>> firewall_type="open"
>> firewall_logging="YES"
>>
>> /etc/rc.dummynet :
>> ipfw -f flush
>> ipfw pipe 1 config bw 300kbits/s
>> ipfw queue 1 config pipe 1 weight 100
>> ipfw queue 2 config pipe 1 weight 1 mask all
>> ipfw add 100 queue 1 udp from any to any out via fxp0
>> ipfw add 101 skipto 1000 udp from any to any out via fxp0
>> ipfw add 110 queue 1 tcp from any to any out via fxp0 tcpflags ack
>> ipfw add 111 skipto 1000 tcp from any to any out via fxp0 tcpflags ack
>> ipfw add queue 2 ip from any to any out via fxp0
>> ipfw add 1000 allow all from any to any
>>
>> Can I make this better or am I even on the right road??  Thanks in 
>> advance for your help.
>
> I am also wondering if there is a way to do any limiting based on 
> alias addresses.  I am thinking about putting the DNS, which is the 
> service that we at the office are not able to access while the mail is 
> being sent out on the machine.  Is there a way to designate a virtual 
> interface in the dummynet config.  I came from a Solaris background 
> and the virtual interface were addressed as hme0:1.  I know that 
> FreeBSD does not use this notation, but is there a way to make rules 
> for additional virtual
> interface or aliases?

 From what I can see (and someone more in the know can correct me if I'm 
totally off base) the pipes and queues of ipfw/dummynet are somewhat 
analogous to virtual interfaces - insofar as they allow you to treat 
specific traffic as if they are physically coming from different 
sources.

I didn't see any use of natd within your firewall script. That's 
probably something you're missing if this is a gateway machine.

Taking the example from...
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

...(e.g., the last script on the page), with a few mods:

>> /etc/rc.dummynet :
ipfw -q -f flush
cmd="ipfw -q add"
skip="skipto 800"
uports="53, ..."
tports="22, ..."

ipfw pipe 1 config bw 300kbits/s
ipfw queue 1 config pipe 1 weight 100
ipfw queue 2 config pipe 1 weight 1 mask all
ipfw add 100 queue 1 udp from any to any out via fxp0
ipfw add 101 skipto 1000 udp from any to any out via fxp0
ipfw add 110 queue 1 tcp from any to any out via fxp0 tcpflags ack
ipfw add 111 skipto 1000 tcp from any to any out via fxp0 tcpflags ack
ipfw add queue 2 ip from any to any out via fxp0
ipfw add 1000 allow all from any to any

# anti-spoofing
$cmd 004 deny ip from any to any not verrevpath in
<...>
# allow all LAN traffic
$cmd 005 allow all from any to any via $iif
# allow loopback traffic
$cmd 010 allow all from any to any via lo0
# nat inbound traffic
$cmd 014 divert natd ip from any to any in
# allow previously keep-state'd traffic
$cmd 015 check-state
<...>
# direct queue/pipe traffic
$cmd 100 $skip udp from any to any $uports out via fxp0
$cmd 150 $skip tcp from any to any $tports out via fxp0
$cmd 155 $skip tcp from any to any out via fxp0 tcpflags ack
<...>
# deny/log unauthorised traffic
$cmd 400 deny log all from any to any
##############################################
#---Skipto section---
##############################################
# config pipe(s)/queue(s)
$cmd 800 queue 1 udp from any to any out via fxp0
$cmd 800 queue 1 tcp from any to any out via fxp0 tcpflags ack
$cmd 800 queue 2 tcp from any to any out via fxp0
ipfw -q 800 queue 1 config pipe 1 weight 100
ipfw -q 800 queue 2 config pipe 1 weight 1 mask all
ipfw -q 800 pipe 1 config bw 300Kbit/s
# Natd
$cmd 801 divert natd ip from any to any out
$cmd 802 allow ip from any to any
# deny/log all else
$cmd 999 deny log all from any to any

Now, it'd be great if someone who's more experienced with this stuff 
could point out where the above could be improved (and/or corrected)...

with regards,

--
LD



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?025C3D0D-3090-11D9-81C4-0005025E2371>