From owner-freebsd-ipfw Fri Sep 13 13: 4:17 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBE0037B400 for ; Fri, 13 Sep 2002 13:04:14 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D8F543E4A for ; Fri, 13 Sep 2002 13:04:14 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17pwfh-0004fC-00 for freebsd-ipfw@freebsd.org; Fri, 13 Sep 2002 16:04:09 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.36 #1) id 17pwfg-000K7W-00 for freebsd-ipfw@freebsd.org; Fri, 13 Sep 2002 16:04:08 -0400 Date: Fri, 13 Sep 2002 16:04:08 -0400 From: "Scott M. Nolde" To: freebsd-ipfw@freebsd.org Subject: queues and firewalling Message-ID: <20020913200408.GA90537@smnolde.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm trying to set up a firewall which has (at this moment) eight queues. Four are input and four are output queues. Each queue has an associated pipe and bandwidth limitation. This is, for the most part scripted so I can add a tcp or udp port and rerun the script quickly to move things around. The generic structure is this: 1. read in defaults 2. deny certain traffic (RFC 1918) at the external nic 3. divert for NAT 4. do some custom allow and deny stuff 5. begin adding rules for queuing (include tcp, udp, and esp) 6. define pipes for the queues 7. define bandwidth for the pipes 8. pass established 9. allow tcp from my LAN to any keep state 10. allow tcp from my ext nic to LAN keep-state 11. allow tcp from any to LAN keep-state 12. allow tcp from any to ext nic keep-state 13. allow tcp from ext nic to any keep-state 14. do udp and icmp filtering... For some odd reason (pebcak?) irc, www, and other services originating from the LAN or the firewall/nat box don't ever get connected. The firewall can be found here: http://www.smnolde.com:7080/ipfw/rc.ipfw.error Pipe and queue output can be found here (near the end): http://www.smnolde.com:7080/ipfw/rc.ipfw-test.show If anyone can offer assistance I'd be most grateful. -- Scott Nolde vGPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message