From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 7 07:38:21 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BD4916A4CE for ; Sun, 7 Nov 2004 07:38:21 +0000 (GMT) Received: from jay.exetel.com.au (jay.exetel.com.au [220.233.0.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id D282743D55 for ; Sun, 7 Nov 2004 07:38:18 +0000 (GMT) (envelope-from ldsift-applels@yahoo.com.au) Received: (qmail 8894 invoked by uid 507); 7 Nov 2004 18:38:17 +1100 Received: from 63.7.233.220.exetel.com.au (HELO ?192.168.1.2?) (220.233.7.63) by jay.exetel.com.au with SMTP; 7 Nov 2004 18:38:17 +1100 In-Reply-To: <6.0.3.0.0.20041103152300.02238ec0@dreadlock.phreakout.net> References: <6.0.3.0.0.20041101123154.02265a08@mail.dc2.adelphia.net> <6.0.3.0.0.20041103152300.02238ec0@dreadlock.phreakout.net> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <025C3D0D-3090-11D9-81C4-0005025E2371@yahoo.com.au> Content-Transfer-Encoding: 7bit From: LD Date: Sun, 7 Nov 2004 18:38:25 +1100 To: Bob Ababurko X-Mailer: Apple Mail (2.619) cc: freebsd-ipfw@freebsd.org Subject: Re: assistance dummynet config X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Nov 2004 07:38:21 -0000 Hi there, I have a question of my own which is similar to yours - but figure that (as you've noted) if other's questions are not being answered that I might also find myself answering my own questions. So, though I'm also new to the FreeBSD world - I'll throw some food for thought into the mix from what I've read. See below... On 04/11/2004, at 8:10 AM, Bob Ababurko wrote: >> What I am trying to accomplish with this dummynet config is give >> priority to udp traffic, namely dns and tcp ack's so that I can send >> mail to our clients announcement list, as fast and efficient as >> possible without congestion. So basically, I need this machine to ba >> able to make dns lookups with out a problem and I need the acks to >> get back to my machine so that the SMTP conversation can take place >> with out latency. I am not sure if I have taken all that I need into >> consideration, but for now I could use some constructive criticism in >> terms of making it better. >> >> Using FreeBSD 5.2.1, I have: >> >> /etc/sysctl.conf : >> net.inet.ip.fw.one_pass=0 >> >> /etc/rc.conf : >> firewall_enable="YES" >> firewall_script="/etc/rc.dummynet" >> firewall_type="open" >> firewall_logging="YES" >> >> /etc/rc.dummynet : >> ipfw -f flush >> ipfw pipe 1 config bw 300kbits/s >> ipfw queue 1 config pipe 1 weight 100 >> ipfw queue 2 config pipe 1 weight 1 mask all >> ipfw add 100 queue 1 udp from any to any out via fxp0 >> ipfw add 101 skipto 1000 udp from any to any out via fxp0 >> ipfw add 110 queue 1 tcp from any to any out via fxp0 tcpflags ack >> ipfw add 111 skipto 1000 tcp from any to any out via fxp0 tcpflags ack >> ipfw add queue 2 ip from any to any out via fxp0 >> ipfw add 1000 allow all from any to any >> >> Can I make this better or am I even on the right road?? Thanks in >> advance for your help. > > I am also wondering if there is a way to do any limiting based on > alias addresses. I am thinking about putting the DNS, which is the > service that we at the office are not able to access while the mail is > being sent out on the machine. Is there a way to designate a virtual > interface in the dummynet config. I came from a Solaris background > and the virtual interface were addressed as hme0:1. I know that > FreeBSD does not use this notation, but is there a way to make rules > for additional virtual > interface or aliases? From what I can see (and someone more in the know can correct me if I'm totally off base) the pipes and queues of ipfw/dummynet are somewhat analogous to virtual interfaces - insofar as they allow you to treat specific traffic as if they are physically coming from different sources. I didn't see any use of natd within your firewall script. That's probably something you're missing if this is a gateway machine. Taking the example from... http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html ...(e.g., the last script on the page), with a few mods: >> /etc/rc.dummynet : ipfw -q -f flush cmd="ipfw -q add" skip="skipto 800" uports="53, ..." tports="22, ..." ipfw pipe 1 config bw 300kbits/s ipfw queue 1 config pipe 1 weight 100 ipfw queue 2 config pipe 1 weight 1 mask all ipfw add 100 queue 1 udp from any to any out via fxp0 ipfw add 101 skipto 1000 udp from any to any out via fxp0 ipfw add 110 queue 1 tcp from any to any out via fxp0 tcpflags ack ipfw add 111 skipto 1000 tcp from any to any out via fxp0 tcpflags ack ipfw add queue 2 ip from any to any out via fxp0 ipfw add 1000 allow all from any to any # anti-spoofing $cmd 004 deny ip from any to any not verrevpath in <...> # allow all LAN traffic $cmd 005 allow all from any to any via $iif # allow loopback traffic $cmd 010 allow all from any to any via lo0 # nat inbound traffic $cmd 014 divert natd ip from any to any in # allow previously keep-state'd traffic $cmd 015 check-state <...> # direct queue/pipe traffic $cmd 100 $skip udp from any to any $uports out via fxp0 $cmd 150 $skip tcp from any to any $tports out via fxp0 $cmd 155 $skip tcp from any to any out via fxp0 tcpflags ack <...> # deny/log unauthorised traffic $cmd 400 deny log all from any to any ############################################## #---Skipto section--- ############################################## # config pipe(s)/queue(s) $cmd 800 queue 1 udp from any to any out via fxp0 $cmd 800 queue 1 tcp from any to any out via fxp0 tcpflags ack $cmd 800 queue 2 tcp from any to any out via fxp0 ipfw -q 800 queue 1 config pipe 1 weight 100 ipfw -q 800 queue 2 config pipe 1 weight 1 mask all ipfw -q 800 pipe 1 config bw 300Kbit/s # Natd $cmd 801 divert natd ip from any to any out $cmd 802 allow ip from any to any # deny/log all else $cmd 999 deny log all from any to any Now, it'd be great if someone who's more experienced with this stuff could point out where the above could be improved (and/or corrected)... with regards, -- LD