Date: Tue, 10 Nov 2009 11:56:13 -0600 From: Chris Bowman <chrishome@austin.rr.com> To: Nima Mohammadi <it@hastigasht.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: HELP ME Message-ID: <5382554a0911100956p30224cc9n765c6207eb12348@mail.gmail.com> In-Reply-To: <20091110131017.A2A98106568D@hub.freebsd.org> References: <20091110131017.A2A98106568D@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 10, 2009 at 6:40 AM, Nima Mohammadi <it@hastigasht.com> wrote:
> Hi
> i have a freebsd 7.1 with ipfw and dummynet and natd and all the things is
> good.
> but the i can not limite the upload to the internet with dummynet.
> the download limit works fine .
>
>
>
> when change the pipe2 (to me in ) to ( to any in) the internet connection
> of
> my client will be down
> vr0 : internal net : 192.168.10.0/24
> nfe0: out net : 212.80.13.1 ,2 ,3
>
> the upload is very high .
> HELP ME
>
> here is my ipfw config :
> pfw -q -f flush
>
> #Dedicate internet user and non internet user
>
> ############################################################################
> #
> #charter 55 for ali shirali movaghat share with andishgar
>
> iuser="192.168.10.0/24{1,3,25,
> <
> http://192.168.10.0/24%7B1,3,25,27,31,42,48,50,53,54,55,63,69,81,84,88,92,9
> 8,100,105,118,128,131,134,135,137,140,155,165,171%7D>
>
> 27,31,42,48,50,53,54,55,63,69,81,84,88,92,98,100,105,118,128,131,134,135,137
> ,140,155,165,171}"
>
> noiuser="192.168.10.0/24{44, <http://192.168.10.0/24%7B44,46%7D>; 46}"
>
> ############################################################################
> ##
>
>
> ##########################dummynet##########################################
> #
> #recive
> ipfw -q add pipe 1 ip from any to ${iuser} out via vr0
> ipfw pipe 1 config bw 9KByte/s # queue 11 delay 100ms
>
> #send
> ipfw -q add pipe 2 ip from ${iuser} to me in via vr0
> ipfw pipe 2 config bw 7KByte/s # queue 11 delay 100ms
>
> ############################################################################
> #
>
>
> ##################################NAT#######################################
> ##
> ipfw -q add divert natd all from any to any via nfe0
> ipfw -q add check-state
>
> ############################################################################
>
> #block any to loopback
> ipfw -q add allow ip from any to any via lo0
> ipfw -q add deny ip from any to 127.0.0.0/8
>
> #########################END internet
> users##################################
>
> #web & ssl & yahoo messenger
> ###################WEB Accsess##############################
> ipfw -q add allow tcp from ${iuser} to any 80,443,5050 keep-state
>
> #allow all http to internal
> ipfw -q add allow tcp from any to any 80 in via nfe0 keep-state
>
> #charter 10 access on ghd24.net
> #ipfw -q add allow tcp from 192.168.10.64 to 66.49.211.210,94.182.197.230
> 80
> keep-state
> ######################END Web Access#########################
>
> #aseman
> ipfw -q add allow tcp from any to any 7769 keep-state
>
> #amadeus
> ipfw -q add allow tcp from any to any 9876,10000 keep-state
>
> #air tour
> ipfw -q add allow tcp from any to any 1770 keep-state
>
> #ftp
> ipfw -q add allow ip from any to any 21 keep-state
> #ipfw -q add allow ip from any to any 1024-65535 keep-state
> ipfw -q add allow tcp from 192.168.10.69,192.168.10.1,192.168.10.9 to any
> 1024-65535 keep-state
> ipfw -q add allow tcp from any 1024-65535 to 192.168.10.1 keep-state
>
> #ipfw -q add check-state
>
> #DNS
> ipfw -q add allow ip from any to any 53 keep-state
> ipfw -q add allow ip from any 53 to any keep-state
>
> #remote
> ipfw -q add allow ip from any to any 35252,12114,3389 keep-state
>
> #mysql remote
> #ipfw -q add allow ip from any to any 3306,1433 keep-state
>
> #share
> #ipfw -q add allow tcp from any to me 139
> #ipfw -q add allow tcp from any 139 to any
>
> #ping
> ipfw -q add allow icmp from any to any
>
> #cpanel
> #ipfw -q add allow ip from any to any 2082,2083,2095 keep-state
>
> #ssh
> ipfw -q add allow tcp from any to me 5432 keep-state
> ipfw -q add allow tcp from any 5432 to any keep-state
>
> #Out look pop3
> ######################POP3 Access#####################
>
> ipfw -q add allow tcp from ${iuser},${noiuser} to any 25 keep-state
> ipfw -q add allow tcp from ${iuser},${noiuser} to any 110 keep-state
>
> ######################END POP3 Access#################
> #gmail
> #ipfw -q add allow tcp from any to any 995,465 keep-state
>
> #Ghost Surf
> ipfw -q add allow tcp from any to any 8888 keep-state
>
> #VPN TO EXTRENAL
> ipfw -q add allow gre from any to any keep-state
> ipfw -q add allow tcp from any to any 1723 keep-state
>
> #allow all to external
> ipfw -q add allow ip from any to any out via nfe0
>
> #deny all in from external
> ipfw -q add deny all from any to any in via nfe0
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>
Currently your IPFW rule for pipe 2 is only matching traffic sourced from
192.168.10.0/24 <http://192.168.10.0/24 nfe0> with a destination of "me", me
being any IP interface on your box, so your rule would work only if traffic
is destined to an IP on your box. Your IPFW rule for pipe 1 is matching on
any and works, I'd look at applying the same logic to your pipe 2 rule :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5382554a0911100956p30224cc9n765c6207eb12348>