Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Mar 2016 14:33:21 -0800 (PST)
From:      Don Lewis <>
Subject:   Re: ipwf dummynet vs. kernel NAT and firewall rules
Message-ID:  <>
In-Reply-To: <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 10 Mar, Julian Elischer wrote:
> On 9/03/2016 9:32 AM, Don Lewis wrote:
>> I'm trying to add FQ-CoDEL AQM to my FreeBSD 10 firewall box using this
>> patch: <>, but I'm
>> running into a problem that I think is caused by an interaction between
>> in-kernel NAT and dummynet.  I've set up two dummynet pipe/sched/queue
>> instances using example 3.3a from this document
>> <>; with the
>> appropriate bandwidths, but otherwise default tunings to shape both
>> inbound and outbound traffic.  My inside network is a /24 and I have an
>> external /29 (ext/29) network that I don't want to rate limit.  My
>> outside network interface is re0.  I'm using the /etc/rc.firewall
>> "simple" firewall configuration.
>> The problem that I'm having crops up when I actually try to add the
>> firewall rules to select the traffic that I want to rate limit.  The
>> first rule in the list is:
>> 	100 allow ip from any to any via lo0
>> The second rule is numbered 200 and is first anti-spoofing rule.  If
>> I add *either* of these two rules, then I'm no longer able to
>> communicate between hosts on my internal network and the rest of the
>> world:
>>    ipfw 110 add queue 1 ip from not ext/29 to any in recv re0
>>    ipfw 120 add queue 2 ip from any to not ext/29 out xmit re0
>> It seems like the inbound rule should be early in the rule list so that
>> any inbound traffic that gets dropped by the firewall rules gets counted
>> even if it is dropped by later rules.  It also seems like the outbound
>> rule needs to be before any allow rules since an allow rule would skip
>> the remaining rules and would not count that traffic.  Unfortunately the
>> ipfw documentation doesn't really describe the interaction between
>> dummynet, NAT, and other firewall rules.
>> Unfortunately this is a live system, so it is difficult to do controlled
>> experiments and look at the ipfw counters to see where things might be
>> going into the weeds ...
> ok so you need to do what I always tell people.. split your rules into 
> separate incoming and outgoing rule sets.
> so your first rule should be:
>    skipto 10000 all from any to any in.
> and have separate sets of rules for incoming and outgoing packets.

I'm somewhat used to that.  In a past life I wrote firewall rules for
routers that have separate per-interface in and out rulesets.  I do
recall genrating them from from a script that kept the in and out rules
for the desired flows in sync with each other.

In this case, it would require a total rewrite from what I have now,
which I'm not anxious to tackle at the moment.

Want to link to this message? Use this URL: <>