From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 10 03:50:09 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A467116A41F for ; Sun, 10 Jun 2007 03:50:09 +0000 (UTC) (envelope-from tool_box@westnet.com.au) Received: from vscan01.westnet.com.au (vscan01.westnet.com.au [203.10.1.131]) by mx1.freebsd.org (Postfix) with ESMTP id 8AD3213C455 for ; Sun, 10 Jun 2007 03:50:08 +0000 (UTC) (envelope-from tool_box@westnet.com.au) Received: from localhost (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with ESMTP id 97C457632D9 for ; Sun, 10 Jun 2007 11:23:40 +0800 (WST) Received: from vscan01.westnet.com.au ([127.0.0.1]) by localhost (vscan01.westnet.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32063-18 for ; Sun, 10 Jun 2007 11:23:40 +0800 (WST) Received: from mars (dsl-202-72-152-173.wa.westnet.com.au [202.72.152.173]) by vscan01.westnet.com.au (Postfix) with SMTP id 8510E763257 for ; Sun, 10 Jun 2007 11:23:39 +0800 (WST) Message-ID: <002501c7ab0e$f3fceec0$1e01a8c0@mars> From: "Glen Prestidge" To: Date: Sun, 10 Jun 2007 11:25:11 +0800 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3028 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw portfording problems X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jun 2007 03:50:09 -0000 HI all I am trying to setup the SC VNC which i want to use for when i need to = support my customers.=20 I am having problems placing these firewall rules so that it will allow = the traffic. Here are my rules=20 ############################ # # Define your variables # fwcmd=3D"/sbin/ipfw" #leave as is if using ipfw oif=3D"vr0" #set to outside interface name onwr=3D"10.1.1.0/8" #set to outside network range oip=3D"10.1.1.4" #set to outside ip address iif=3D"re0" #set to internal interface name inwr=3D"192.168.1.0/24" #set to internal network range iip=3D"192.168.1.1" #set to internal ip address ntp=3D"202.72.191.202" ns1=3D"203.10.1.17" #set to primary name server best if =3D oif # # End of required user input if you only intend to allow ssh connections = to # this box from the outside. If other services are required, edit line = 96 # as necessary. # # Rules with descriptions # # # Force a flush of the current firewall rules before we reload $fwcmd -f flush # # Allow your loop back to work $fwcmd add allow all from any to any via lo0 # # Prevent spoofing of your loopback $fwcmd add deny log all from any to 127.0.0.0/8 # # Stop spoofing of your internal network range $fwcmd add deny log ip from $inwr to any in via $oif # # Stop spoofing from inside your private ip range $fwcmd add deny log ip from not $inwr to any in via $iif # # Stop private networks (RFC1918) from entering the outside interface. $fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif $fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif # $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif $fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif $fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif # $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif # # Stop draft-manning-dsua-01.txt nets on the outside interface $fwcmd add deny all from 0.0.0.0/8 to any in via $oif $fwcmd add deny all from 169.254.0.0/16 to any in via $oif $fwcmd add deny all from 192.0.2.0/24 to any in via $oif $fwcmd add deny all from 224.0.0.0/4 to any in via $oif $fwcmd add deny all from 240.0.0.0/4 to any in via $oif $fwcmd add deny all from any to 0.0.0.0/8 in via $oif $fwcmd add deny all from any to 169.254.0.0/16 in via $oif $fwcmd add deny all from any to 192.0.2.0/24 in via $oif $fwcmd add deny all from any to 224.0.0.0/4 in via $oif $fwcmd add deny all from any to 240.0.0.0/4 in via $oif $fwcmd add deny all from 210.22.175.130 to any in via $oif # Divert all packets through natd $fwcmd add divert natd all from any to any via $oif # Checks packets against dynamic rule set below. $fwcmd add check-state # # # Allow all established connections to persist (setup required # for new connections). $fwcmd add allow tcp from any to any established #ALL VNC $fwcmd add fwd 192.168.1.30,5900 tcp from any to any dst-port 5900=20 # Allow packets in via the VPN interface $fwcmd add allow ip from any to any in recv ng0 # Allow the rest of the VPN data through $fwcmd add allow gre from any to any # # Allow incoming requests to reach the following services: # To allow multiple services you may list them separated # by a coma, for example ...to $oip 22,25,110,80 setup $fwcmd add allow log tcp from any to $oip 22 setup # $fwcmd add allow log tcp from any to $oip 80 setup $fwcmd add allow tcp from any to $oip 25,53 setup $fwcmd add allow tcp from any to #oip 21 setup $fwcmd add allow tcp from any to $oip 110 setup=20 $fwcmd add allow log tcp from any to $oip dst-port 5900 setup # $fwcmd add allow log tcp from any to any dst-port 5900 setup=20 $fwcmd add allow log tcp from any to any $iop setup $fwcmd add allow log tcp from any to $iop setup $fwcmd add allow log tcp from any to any dst-port 1723 setup # # Allow DNS traffic from internet to query your DNS (for reverse # lookups etc). $fwcmd add allow udp from any to $ns1 53 # # Allow time update traffic $fwcmd add allow udp from $ntp 123 to $oip 123 # # Allow UDP from local extrernal network so I can tracert from local = servers $fwcmd add allow udp from any 53 to any $fwcmd add allow udp from any to any 53 # Allow icmp packets for diagnostic purposes (ping traceroute) # you may wish to leave commented out. # $fwcmd add allow icmp from any to any # # Allow required ICMP $fwcmd add allow icmp from any to any icmptypes 0 $fwcmd add allow icmp from any to any icmptypes 3 $fwcmd add allow icmp from any to any icmptypes 4 $fwcmd add allow icmp from any to any icmptypes 8 $fwcmd add allow icmp from any to any icmptypes 11 # # Rules to allow VNC access through the FW (is this needed here? ) $fwcmd add allow tcp from any to any dst-port 5900 in via vr0 $fwcmd add allow tcp from any to any dst-port 5900 out via re0=20 # Allow any traffic from firewall ip to any going out the # external interface $fwcmd add allow ip from $oip to any keep-state out via $oif # # Allow any traffic from local network to any passing through the # internal interface $fwcmd add allow ip from $inwr to any keep-state via $iif # # Deny everything else $fwcmd add 65435 deny log ip from any to any # ##################################################### # # End firewall script. The lines in bold are the lines i have entered. 192.168.1.30 is the = machine in my internal network running the VNC viewer in listen mode = listening on port 5900.=20 as you can see when a ipfw sh is done 00100 3 144 allow ip from any to any via lo0 00200 0 0 deny log logamount 100 ip from any to 127.0.0.0/8 00300 0 0 deny log logamount 100 ip from 192.168.1.0/24 to any in via = vr0 00400 0 0 deny log logamount 100 ip from not 192.168.1.0/24 to any in = via re0 00500 0 0 deny log logamount 100 ip from 192.168.0.0/16 to any in via = vr0 00600 0 0 deny log logamount 100 ip from 172.16.0.0/12 to any in via vr0 00700 0 0 deny log logamount 100 ip from any to 192.168.0.0/16 in via = vr0 00800 0 0 deny log logamount 100 ip from any to 172.16.0.0/12 in via vr0 00900 0 0 deny ip from 0.0.0.0/8 to any in via vr0 01000 0 0 deny ip from 169.254.0.0/16 to any in via vr0 01100 0 0 deny ip from 192.0.2.0/24 to any in via vr0 01200 0 0 deny ip from 224.0.0.0/4 to any in via vr0 01300 0 0 deny ip from 240.0.0.0/4 to any in via vr0 01400 0 0 deny ip from any to 0.0.0.0/8 in via vr0 01500 0 0 deny ip from any to 169.254.0.0/16 in via vr0 01600 0 0 deny ip from any to 192.0.2.0/24 in via vr0 01700 0 0 deny ip from any to 224.0.0.0/4 in via vr0 01800 0 0 deny ip from any to 240.0.0.0/4 in via vr0 01900 0 0 deny ip from 210.22.175.130 to any in via vr0 02000 288 28799 divert 8668 ip from any to any via vr0 02100 0 0 check-state 02200 185 18064 allow tcp from any to any established 02300 3 144 fwd 192.168.1.30,5900 tcp from any to any dst-port 5900 02400 0 0 allow ip from any to any in recv ng0 02500 288 32928 allow gre from any to any 02600 0 0 allow log logamount 100 tcp from any to 10.1.1.4 dst-port 22 = setup 02700 0 0 allow tcp from any to 10.1.1.4 dst-port 25,53 setup 02800 0 0 allow tcp from any to 10.1.1.4 dst-port 110 setup 02900 0 0 allow log logamount 100 tcp from any to 10.1.1.4 dst-port 5900 = setup ( packets aren't getting here) 03000 6 384 allow log logamount 100 tcp from any to any setup 03100 0 0 allow log logamount 100 tcp from any to any dst-port 1723 = setup 03200 0 0 allow udp from any to 203.10.1.17 dst-port 53 03300 0 0 allow udp from 202.72.191.202 123 to 10.1.1.4 dst-port 123 03400 12 1178 allow udp from any 53 to any 03500 12 780 allow udp from any to any dst-port 53 03600 0 0 allow icmp from any to any icmptypes 0 03700 0 0 allow icmp from any to any icmptypes 3 03800 0 0 allow icmp from any to any icmptypes 4 03900 0 0 allow icmp from any to any icmptypes 8 04000 0 0 allow icmp from any to any icmptypes 11 04100 0 0 allow tcp from any to any dst-port 5900 in via vr0 04200 0 0 allow tcp from any to any dst-port 5900 out via re0 04300 0 0 allow ip from 10.1.1.4 to any out via vr0 keep-state 04400 0 0 allow ip from 192.168.1.0/24 to any via re0 keep-state 65435 3 1457 deny log logamount 100 ip from any to any 65535 1586 192759 allow ip from any to any any ideas? Glen From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 10 14:00:43 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9EA8C16A46C; Sun, 10 Jun 2007 14:00:43 +0000 (UTC) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 693FA13C465; Sun, 10 Jun 2007 14:00:43 +0000 (UTC) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l5AE0hOY016941; Sun, 10 Jun 2007 14:00:43 GMT (envelope-from maxim@freefall.freebsd.org) Received: (from maxim@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l5AE0hg5016937; Sun, 10 Jun 2007 14:00:43 GMT (envelope-from maxim) Date: Sun, 10 Jun 2007 14:00:43 GMT From: Maxim Konovalov Message-Id: <200706101400.l5AE0hg5016937@freefall.freebsd.org> To: gfb@vta.com, maxim@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: bin/80913: [patch] /sbin/ipfw2 silently discards MAC addr arg with improper characters X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jun 2007 14:00:43 -0000 Synopsis: [patch] /sbin/ipfw2 silently discards MAC addr arg with improper characters State-Changed-From-To: patched->closed State-Changed-By: maxim State-Changed-When: Sun Jun 10 14:00:24 UTC 2007 State-Changed-Why: Merged to RELENG_6. http://www.freebsd.org/cgi/query-pr.cgi?pr=80913 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 11 11:08:44 2007 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2CA3716A400 for ; Mon, 11 Jun 2007 11:08:44 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 0F67413C458 for ; Mon, 11 Jun 2007 11:08:44 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l5BB8h8C026638 for ; Mon, 11 Jun 2007 11:08:43 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l5BB8gHK026635 for freebsd-ipfw@FreeBSD.org; Mon, 11 Jun 2007 11:08:42 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 11 Jun 2007 11:08:42 GMT Message-Id: <200706111108.l5BB8gHK026635@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2007 11:08:44 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw ipfw is seems to be broken to limit number of connecti 13 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] Too few dummynet queue slots o kern/112561 ipfw ipfw fwd does not work with some TCP packets o kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci 24 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 11 22:32:10 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 359C616A469 for ; Mon, 11 Jun 2007 22:32:10 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.freebsd.org (Postfix) with ESMTP id A99A413C45D for ; Mon, 11 Jun 2007 22:32:09 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from ap-h.matik.com.br (ap-h.matik.com.br [200.152.83.36]) by msrv.matik.com.br (8.14.1/8.13.1) with ESMTP id l5BMW7IH057858 for ; Mon, 11 Jun 2007 19:32:07 -0300 (BRT) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Mon, 11 Jun 2007 19:31:25 -0300 User-Agent: KMail/1.9.6 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200706111931.26118.asstec@matik.com.br> X-Spam-Status: No, score=-101.2 required=5.0 tests=ALL_TRUSTED,AWL,TW_PF, USER_IN_WHITELIST autolearn=ham version=3.1.8 X-Spam-Checker-Version: Antispam Datacenter Matik msrv.matik.com.br X-Virus-Scanned: ClamAV version 0.90.3, clamav-milter version 0.90.3 on msrv.matik.com.br X-Virus-Status: Clean Subject: skipto bug X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2007 22:32:10 -0000 Hi seems to be a skipto bug in ipfw # ipfw add 60000 skipto 65535 ip from any to any ipfw: illegal argument for skipto # ipfw show 65535 65535 157 17306 deny ip from any to any # ipfw add 60000 skipto 65534 ip from any to any 60000 skipto 65534 ip from any to any I am not sure how long it so but this I get on latest releng_6 sources Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 12 20:29:37 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7948316A46B for ; Tue, 12 Jun 2007 20:29:37 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240]) by mx1.freebsd.org (Postfix) with ESMTP id 39AC713C448 for ; Tue, 12 Jun 2007 20:29:37 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so538794anc for ; Tue, 12 Jun 2007 13:29:36 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=URoMv926fHJVFBfeXV1znMwBhXCeoDMX60U2Tg+u4YBp/rZMJZMhhxOdAKQ3imFt+LpIiEqcMRwfRzyPCQeXkPLQ/0iq1y4+lgFQpYh/w/05laLCwzhc6jkYlXNaa9kJ7ijC604a3abN7SNI58xKLtAmM0KZbBM3B9MZBuDi5zc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=HsHei1P+iiZgHdWVihlUf0MACxT6alD9kMbt3FDgLayC26FEsGHzWDQALAbuGz+qgPUeUVrUIDSJmhy+U9mSvQ9emhXhQicdd+LFTwZKRx70O17cqmFjWF4RSAYWKYuGEZvyfnFHmzMClD82oN10ib4yzwpTZ7ZAePKWfmu6X8M= Received: by 10.100.33.14 with SMTP id g14mr4352845ang.1181678546219; Tue, 12 Jun 2007 13:02:26 -0700 (PDT) Received: by 10.100.91.12 with HTTP; Tue, 12 Jun 2007 13:02:26 -0700 (PDT) Message-ID: <937e203f0706121302ga14ec97wab7f1b5e3c58cdfd@mail.gmail.com> Date: Tue, 12 Jun 2007 22:02:26 +0200 From: "Lubomir Georgiev" <0shady0recs0@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw, pipes, queues, weights and managing an Internet connection X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 20:29:37 -0000 h1 all, Here's what I want to do - i have a 3mbps Internet connection. I want to do something similar to QoS - that is, I want to be able to browse without feeling that for example I /or someone else behind the NAT/ is leeching a torrent. Since I found out that there is no pure incarnation of QoS in ipfw I believe that there is a way to accomplish this using the queues and weights. I have tried to do this by myself but it seems that there is no actual benefit of the weight parameter - I mean I do see the torrent speed go down but its after 4-8 seconds after I've told the browser to go fetch a page during which time it sits and waits. Here's what I currently have, involving queues and weigths in my ruleset -> > 02000 queue 1 ip from any to any src-port 80 not layer2 via fxp0 > 02100 queue 1 ip from any to any dst-port 80 not layer2 via fxp0 > 02200 queue 2 ip from any to any via fxp0 > and this is the pipe list > 00001: 440.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > q00001: weight 95 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 10.11.0.246/1057 80.92.66.238/80 59038 41163646 0 > 0 0 > q00002: weight 5 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 udp 10.11.0.42/137 10.11.0.255/137 3148781 1921538209 15 > 14440 1046 > I read something about putting in ACK's with a higher priority but I'm just not quite sure what I need to do in order to achieve this result. Please do share if you've done something similar and whether it's possible to NOT feel AT ALL that someone is leeching. That is, can the packets' speed /dropping, etc./ be so quickly managed by the gateway as to the end user not feeling anything? Most basically I would like to utilize a pipe at all times, but when someone starts browsing I don't want him to feel that there's anything in the background. Thanks in advance to all who share their thoughts and opinions. Your help would be greatly appreciated. So let's get started... -- mEsS wItH tHe bEsT dIE liKe tHe rESt From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 12 22:55:07 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BDF6F16A41F for ; Tue, 12 Jun 2007 22:55:07 +0000 (UTC) (envelope-from Mark.Martinec@ijs.si) Received: from mail.ijs.si (mail.ijs.si [193.2.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 18E4A13C45B for ; Tue, 12 Jun 2007 22:55:07 +0000 (UTC) (envelope-from Mark.Martinec@ijs.si) Received: from localhost (localhost.ijs.si [127.0.0.1]) by mail.ijs.si (Postfix) with ESMTP id 8014D19284E for ; Wed, 13 Jun 2007 00:37:51 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=ijs.si; s=ja-200610; t=1181687871; bh=Taw/4PIe8aFCObg9tJ0M1/jY6ZI=; h=X-Virus-Scanned: Received:Received:Received:From:Organization:To:Subject:Date: User-Agent:References:In-Reply-To:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-Disposition:Message-Id; b=A8pVXi I1xefuVwrFnmtATYHQacbKSvxvrYS+FRea9EsunG1XhvdiC4EGzd5sXfI8quKra3QzX qXHwfkx2o9kR2tdTAJ2Ki6xOyy1TJ5M9Pz9HZ/Sa8rcyHEiCPbZPJeH X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([193.2.4.66]) by localhost (mail.ijs.si [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id sA5NlMXMKjH8 for ; Wed, 13 Jun 2007 00:37:50 +0200 (CEST) Received: from edina.ijs.si (edina.ijs.si [193.2.4.3]) by mail.ijs.si (Postfix) with ESMTP id E5E27192849 for ; Wed, 13 Jun 2007 00:37:49 +0200 (CEST) Received: from sleepy.ijs.si (clj15-145.dial-up.arnes.si [212.235.133.145]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by edina.ijs.si (Postfix) with ESMTP id C4FBC511CC for ; Wed, 13 Jun 2007 00:37:49 +0200 (CEST) From: Mark Martinec Organization: J. Stefan Institute To: freebsd-ipfw@freebsd.org Date: Wed, 13 Jun 2007 00:37:47 +0200 User-Agent: KMail/1.9.6 References: <937e203f0706121302ga14ec97wab7f1b5e3c58cdfd@mail.gmail.com> In-Reply-To: <937e203f0706121302ga14ec97wab7f1b5e3c58cdfd@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200706130037.48372.Mark.Martinec@ijs.si> Subject: Re: ipfw, pipes, queues, weights and managing an Internet connection X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 22:55:07 -0000 Lubomir, > Here's what I want to do - i have a 3mbps Internet connection. I want to > do something similar to QoS - that is, I want to be able to browse without > feeling that for example I /or someone else behind the NAT/ is leeching a > torrent. Since I found out that there is no pure incarnation of QoS in ipfw > I believe that there is a way to accomplish this using the queues and > weights. Indeed. > I read something about putting in ACK's with a higher priority Yes, it is a must. > Please do share if you've done something similar and whether it's > possible to NOT feel AT ALL that someone is leeching. That is, > can the packets' speed /dropping, etc./ be so quickly managed by > the gateway as to the end user not feeling anything? > Most basically I would like to utilize a pipe at all times, > but when someone starts browsing I don't want him to feel that > there's anything in the background. I can't say about p2p traffic, but it works for me the way you describe if I mix mail reading (IMAP/SMTP), web browsing and running a backup (rsync) in the background over a 0.5/3 Mbps cable link. Something like the following should get you going. Btw, it pays off to slightly underestimate the link bandwidth, which avoids it resorting to more crude methods. My complication with specifying an interface makes traffic shaping only apply to external interface. I'm sure it can be improved... #define IF_EXT rl0 #define IF_INT rl1 #define IF_GIF gif0 /* traffic shaping - 512 kbps / 3072 kbps */ /* outgoing */ pipe 1 config queue 1500bytes bw 498000bit/s queue 10 config pipe 1 weight 1 mask all queue 11 config pipe 1 weight 5 mask all queue 12 config pipe 1 weight 10 mask all queue 13 config pipe 1 weight 50 mask all add 65001 queue 13 out iptos lowdelay iplen 0-250 xmit IF_EXT add 65002 queue 13 out proto udp src-port 12334 xmit IF_EXT add 65003 queue 13 out proto udp iplen 0-250 xmit IF_EXT add 65004 queue 12 out proto udp xmit IF_EXT add 65005 queue 12 out proto icmp xmit IF_EXT add 65006 queue 12 out proto tcp tcpflags ack iplen 0-80 xmit IF_EXT add 65007 queue 11 out proto tcp iplen 0-300 xmit IF_EXT add 65008 queue 11 out proto tcp src-port 80,88 xmit IF_EXT add 65009 queue 10 out proto tcp dst-port rsync xmit IF_EXT add 65010 queue 10 out proto tcp xmit IF_EXT add 65011 queue 11 out proto ipv6 iplen 0-300 xmit IF_EXT add 65012 queue 10 out proto ipv6 xmit IF_EXT add 65013 queue 11 out proto ospf xmit IF_EXT add 65014 queue 11 log out frag xmit IF_EXT add 65015 queue 11 out xmit IF_EXT add 65019 pass out /* incoming */ pipe 2 config queue 4500bytes bw 3300Kbit/s queue 20 config pipe 2 weight 1 mask all queue 21 config pipe 2 weight 5 mask all queue 22 config pipe 2 weight 10 mask all queue 23 config pipe 2 weight 50 mask all add 65101 queue 23 iptos lowdelay iplen 0-250 recv IF_EXT add 65102 queue 23 proto udp src-port 12334 recv IF_EXT add 65103 queue 22 proto udp iplen 0-250 recv IF_EXT add 65103 queue 22 proto udp recv IF_EXT add 65104 queue 22 proto icmp recv IF_EXT add 65105 queue 22 proto tcp tcpflags ack iplen 0-80 recv IF_EXT add 65106 queue 21 proto tcp iplen 0-300 recv IF_EXT add 65107 queue 20 proto tcp dst-port rsync recv IF_EXT add 65108 queue 20 proto tcp recv IF_EXT add 65109 queue 21 proto ipv6 iplen 0-300 recv IF_EXT add 65110 queue 20 proto ipv6 recv IF_EXT add 65111 queue 21 proto ospf recv IF_EXT add 65112 queue 21 log frag recv IF_EXT add 65113 queue 21 in recv IF_EXT add 65119 pass in Mark From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 12 23:10:36 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C6D1616A46C for ; Tue, 12 Jun 2007 23:10:36 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.237]) by mx1.freebsd.org (Postfix) with ESMTP id 75F2213C4BA for ; Tue, 12 Jun 2007 23:10:36 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so12513wra for ; Tue, 12 Jun 2007 16:10:35 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=LpZniuUfBmNt9jp0sI74h4Sey8WSDvTiAfYZ77lpqszBMDPOb9bFzQqHpD9Qnsd9BIZi+xFsFDahdfGS0kFHNKbl1QZ9BteE5il9cKhhykJWIUN9kZ6bqsAVc6XHKmdZHrRQqm3vDGpJaXXuxiQLSUEWG1I8umEctgenAkN7mpI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=Ew36oYbVZHqpBHOU11250kvXvOvCAiu/PuQQg7+FhCWl222/XKNQDCh84RvukDftEB7yo4vMy3u0TQMJO/WdZHp2SGHmcQqgiDsxoFETfb9npzNWflKsL/5T0ST1U3JPfp49W0+H/Vm/bS3OtbTiHErd4wXFZqESUNETaiVf8iQ= Received: by 10.100.3.20 with SMTP id 20mr4426147anc.1181689835860; Tue, 12 Jun 2007 16:10:35 -0700 (PDT) Received: by 10.100.91.12 with HTTP; Tue, 12 Jun 2007 16:10:35 -0700 (PDT) Message-ID: <937e203f0706121610p51fb4a10r265c82bb8858468e@mail.gmail.com> Date: Wed, 13 Jun 2007 01:10:35 +0200 From: "Lubomir Georgiev" <0shady0recs0@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw, pipes, queues, weights and managing an Internet connection X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 23:10:37 -0000 First of all thanks for your response and your desire to help me out! Second, since I'm going to be making changes to your ruleset in order to match it to my needs could you please comment it a little because I'm relatively new to ipfw+dummynet and some of the lines seem *really* strange to me... I'm talking about the - iptos,proto,tcpflags, lowdelay and iplen commands. They don't make any sence to me and I couldn't find anything about the in the man pages... Maybe I'm just stupid? Would you please explain if you have the time.... I'd really appreciate it... > #define IF_EXT rl0 > #define IF_INT rl1 > #define IF_GIF gif0 > > /* traffic shaping - 512 kbps / 3072 kbps */ > > /* outgoing */ > pipe 1 config queue 1500bytes bw 498000bit/s > > queue 10 config pipe 1 weight 1 mask all > queue 11 config pipe 1 weight 5 mask all > queue 12 config pipe 1 weight 10 mask all > queue 13 config pipe 1 weight 50 mask all > > add 65001 queue 13 out iptos lowdelay iplen 0-250 xmit IF_EXT > add 65002 queue 13 out proto udp src-port 12334 xmit IF_EXT > add 65003 queue 13 out proto udp iplen 0-250 xmit IF_EXT > add 65004 queue 12 out proto udp xmit IF_EXT > add 65005 queue 12 out proto icmp xmit IF_EXT > add 65006 queue 12 out proto tcp tcpflags ack iplen 0-80 xmit IF_EXT > add 65007 queue 11 out proto tcp iplen 0-300 xmit IF_EXT > add 65008 queue 11 out proto tcp src-port 80,88 xmit IF_EXT > add 65009 queue 10 out proto tcp dst-port rsync xmit IF_EXT > add 65010 queue 10 out proto tcp xmit IF_EXT > add 65011 queue 11 out proto ipv6 iplen 0-300 xmit IF_EXT > add 65012 queue 10 out proto ipv6 xmit IF_EXT > add 65013 queue 11 out proto ospf xmit IF_EXT > add 65014 queue 11 log out frag xmit IF_EXT > add 65015 queue 11 out xmit IF_EXT > add 65019 pass out > > /* incoming */ > pipe 2 config queue 4500bytes bw 3300Kbit/s > > queue 20 config pipe 2 weight 1 mask all > queue 21 config pipe 2 weight 5 mask all > queue 22 config pipe 2 weight 10 mask all > queue 23 config pipe 2 weight 50 mask all > > add 65101 queue 23 iptos lowdelay iplen 0-250 recv IF_EXT > add 65102 queue 23 proto udp src-port 12334 recv IF_EXT > add 65103 queue 22 proto udp iplen 0-250 recv IF_EXT > add 65103 queue 22 proto udp recv IF_EXT > add 65104 queue 22 proto icmp recv IF_EXT > add 65105 queue 22 proto tcp tcpflags ack iplen 0-80 recv IF_EXT > add 65106 queue 21 proto tcp iplen 0-300 recv IF_EXT > add 65107 queue 20 proto tcp dst-port rsync recv IF_EXT > add 65108 queue 20 proto tcp recv IF_EXT > add 65109 queue 21 proto ipv6 iplen 0-300 recv IF_EXT > add 65110 queue 20 proto ipv6 recv IF_EXT > add 65111 queue 21 proto ospf recv IF_EXT > add 65112 queue 21 log frag recv IF_EXT > add 65113 queue 21 in recv IF_EXT > add 65119 pass in > > > Mark > -- mEsS wItH tHe bEsT dIE liKe tHe rESt From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 12 23:36:44 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 16FFA16A41F for ; Tue, 12 Jun 2007 23:36:44 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.245]) by mx1.freebsd.org (Postfix) with ESMTP id CBC5513C468 for ; Tue, 12 Jun 2007 23:36:43 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so4985anc for ; Tue, 12 Jun 2007 16:36:43 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=kiSPUDbLox3fTqQnlU63F1/SGRn8fjiyav/wkuIOd3JaNsQ/toW2yVyvvBqmMC2dU6CA7qVdqzdnSV+ivu9mLtR4Ro7jdW/Qy3m8gNpR91SbuZyVvb3txH3jq7T93KGh2UrOHH2fnu/079EqL9aSedCfaDorP/dTpCSG+oX+QFQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=kuTORuaSWP04L86gMw75mUW7Wqa5UXCEFNI0Lfeb3zl7HgpsFCPtylI+gMfyrUra8tPC9MvKsVbXJoPWNyVOm3g6Vx0opqtDfAkQOExY6RLZrRrITqMrwlU4L0TDiaaC1gA+/AQuXzu2abIp0NOCCdUQuxwhnZo1KNms5hgIAZc= Received: by 10.100.250.7 with SMTP id x7mr14709anh.1181691403281; Tue, 12 Jun 2007 16:36:43 -0700 (PDT) Received: by 10.100.91.12 with HTTP; Tue, 12 Jun 2007 16:36:43 -0700 (PDT) Message-ID: <937e203f0706121636q35b53d30x408b6caa080ecff6@mail.gmail.com> Date: Wed, 13 Jun 2007 01:36:43 +0200 From: "Lubomir Georgiev" <0shady0recs0@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw, pipes, queues, weights and managing an Internet connection X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 23:36:44 -0000 OK, so that answers my question.... I'm just stupid :D Just one question - you're saying that it is possible to shape /delay, drop etc./ the packets so quickly so that when a pipe is fully utilized someone hits a queue with a higher weight /for example port 80 would be prioritized over p2p traffic/ it would be like as if the pipe was not used at all? -- mEsS wItH tHe bEsT dIE liKe tHe rESt From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 12 23:43:03 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8945C16A400 for ; Tue, 12 Jun 2007 23:43:03 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.freebsd.org (Postfix) with ESMTP id 7265D13C46E for ; Tue, 12 Jun 2007 23:43:03 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay8.apple.com (relay8.apple.com [17.128.113.38]) by mail-out3.apple.com (Postfix) with ESMTP id 4BEC88AADE5; Tue, 12 Jun 2007 16:22:40 -0700 (PDT) Received: from relay8.apple.com (unknown [127.0.0.1]) by relay8.apple.com (Symantec Mail Security) with ESMTP id A0B7740105; Tue, 12 Jun 2007 16:23:46 -0700 (PDT) X-AuditID: 11807126-a2089bb00000081c-d3-466f2b022402 Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay8.apple.com (Apple SCV relay) with ESMTP id 8E3ED400ED; Tue, 12 Jun 2007 16:23:46 -0700 (PDT) In-Reply-To: <937e203f0706121610p51fb4a10r265c82bb8858468e@mail.gmail.com> References: <937e203f0706121610p51fb4a10r265c82bb8858468e@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Tue, 12 Jun 2007 16:23:45 -0700 To: Lubomir Georgiev <0shady0recs0@gmail.com> X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw, pipes, queues, weights and managing an Internet connection X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 23:43:03 -0000 On Jun 12, 2007, at 4:10 PM, Lubomir Georgiev wrote: > Second, since I'm going to be making changes to your ruleset in > order to > match it to my needs could you please comment it a little because I'm > relatively new to ipfw+dummynet and some of the lines seem *really* > strange > to me... I'm talking about the - iptos,proto,tcpflags, lowdelay and > iplen > commands. They don't make any sence to me and I couldn't find > anything about > the in the man pages... Maybe I'm just stupid? Would you please > explain if > you have the time.... You want to read "man ipfw" carefully. The basic idea is that Mark is trying to match certain specific types of traffic (ie, a packet with IPTOS_LOWDELAY set), or very short ACK- only packets, in order to prioritize them over larger data-oriented stuff like rsync in order to do better for interactive sessions, VoIP traffic, and stuff like that. -- -Chuck PS: After you've read "man ipfw" carefully, think about it for a while, play around with some simple rules, and then re-read it again. It's not quite as dense as RFC-793, but it's not far off, either. :-) From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 12 23:49:05 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7006116A400 for ; Tue, 12 Jun 2007 23:49:05 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by mx1.freebsd.org (Postfix) with ESMTP id 58F2813C457 for ; Tue, 12 Jun 2007 23:49:05 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay6.apple.com (relay6.apple.com [17.128.113.36]) by mail-out4.apple.com (Postfix) with ESMTP id 246078D9014; Tue, 12 Jun 2007 16:49:05 -0700 (PDT) Received: from relay6.apple.com (unknown [127.0.0.1]) by relay6.apple.com (Symantec Mail Security) with ESMTP id 131D0100BE; Tue, 12 Jun 2007 16:49:05 -0700 (PDT) X-AuditID: 11807124-a26cbbb000000801-6c-466f30f1c27e Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay6.apple.com (Apple SCV relay) with ESMTP id 04D6E10081; Tue, 12 Jun 2007 16:49:05 -0700 (PDT) In-Reply-To: <937e203f0706121636q35b53d30x408b6caa080ecff6@mail.gmail.com> References: <937e203f0706121636q35b53d30x408b6caa080ecff6@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <49236B54-3235-4F8F-A79A-C023EF0E54A4@mac.com> Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Tue, 12 Jun 2007 16:49:04 -0700 To: Lubomir Georgiev <0shady0recs0@gmail.com> X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw, pipes, queues, weights and managing an Internet connection X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 23:49:05 -0000 On Jun 12, 2007, at 4:36 PM, Lubomir Georgiev wrote: > OK, so that answers my question.... I'm just stupid :D You just need to read the fine manual. :-) > Just one question - you're saying that it is possible to shape / > delay, > drop etc./ the packets so quickly so that when a pipe is fully > utilized > someone hits a queue with a higher weight /for example port 80 > would be > prioritized over p2p traffic/ it would be like as if the pipe was > not used > at all? I don't believe that I can answer this better than the existing description: Packets belonging to the same flow are then passed to either of two different objects, which implement the traffic regulation: pipe A pipe emulates a link with given bandwidth, propagation delay, queue size and packet loss rate. Packets are queued in front of the pipe as they come out from the classifier, and then transferred to the pipe according to the pipe's parameters. queue A queue is an abstraction used to implement the WF2Q+ (Worst- case Fair Weighted Fair Queueing) policy, which is an effi- cient variant of the WFQ policy. The queue associates a weight and a reference pipe to each flow, and then all backlogged (i.e., with packets queued) flows linked to the same pipe share the pipe's bandwidth pro- portionally to their weights. Note that weights are not pri- orities; a flow with a lower weight is still guaranteed to get its fraction of the bandwidth even if a flow with a higher weight is permanently backlogged. In practice, pipes can be used to set hard limits to the bandwidth that a flow can use, whereas queues can be used to determine how different flows share the available bandwidth. -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 12 23:52:25 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DD82316A46B for ; Tue, 12 Jun 2007 23:52:25 +0000 (UTC) (envelope-from Mark.Martinec@ijs.si) Received: from mail.ijs.si (mail.ijs.si [193.2.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 9181313C45E for ; Tue, 12 Jun 2007 23:52:25 +0000 (UTC) (envelope-from Mark.Martinec@ijs.si) Received: from localhost (localhost.ijs.si [127.0.0.1]) by mail.ijs.si (Postfix) with ESMTP id C2A0C192836 for ; Wed, 13 Jun 2007 01:52:24 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=ijs.si; s=ja-200610; t=1181692344; bh=9hqfhgx7yDDRa3zd08LOTHVLX+0=; h=X-Virus-Scanned: Received:Received:Received:From:Organization:To:Subject:Date: User-Agent:References:In-Reply-To:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-Disposition:Message-Id; b=JYNS85 2C+VsNB0LQErcfzP3fxijmeHh7R4YX40PwPQMlyb/AtxNBtyATKQTky+8f5ROQ5KJa3 SVMjUxZXlX5DetqHB1q3V8K9mwT8smqpZ0qlOWxyQK5dzRH7JB19/M0 X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([193.2.4.66]) by localhost (mail.ijs.si [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 0jo-3MlXsVwG for ; Wed, 13 Jun 2007 01:52:23 +0200 (CEST) Received: from edina.ijs.si (edina.ijs.si [193.2.4.3]) by mail.ijs.si (Postfix) with ESMTP id 3F8B0192933 for ; Wed, 13 Jun 2007 01:52:23 +0200 (CEST) Received: from sleepy.ijs.si (clj15-145.dial-up.arnes.si [212.235.133.145]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by edina.ijs.si (Postfix) with ESMTP id 273BA511CC for ; Wed, 13 Jun 2007 01:52:23 +0200 (CEST) From: Mark Martinec Organization: J. Stefan Institute To: freebsd-ipfw@freebsd.org Date: Wed, 13 Jun 2007 01:52:21 +0200 User-Agent: KMail/1.9.6 References: <937e203f0706121610p51fb4a10r265c82bb8858468e@mail.gmail.com> In-Reply-To: <937e203f0706121610p51fb4a10r265c82bb8858468e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200706130152.21686.Mark.Martinec@ijs.si> Subject: Re: ipfw, pipes, queues, weights and managing an Internet connection X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 23:52:26 -0000 Lubomir, > ...could you please comment it a little because I'm > relatively new to ipfw+dummynet and some of the lines seem *really* strange > to me... I'm talking about the - iptos,proto,tcpflags, lowdelay and iplen > commands. Should be documented in the man page. Some comments are due anyway: > > add 65001 queue 13 out iptos lowdelay iplen 0-250 xmit IF_EXT The 'iptos lowdelay' short packets should cover protocols like NTP or VoIP. > > add 65002 queue 13 out proto udp src-port 12334 xmit IF_EXT Port 12334 is my Skype magic port. > > add 65003 queue 13 out proto udp iplen 0-250 xmit IF_EXT Remaining short UPD packets, like DNS query/replies etc. > > add 65004 queue 12 out proto udp xmit IF_EXT > > add 65005 queue 12 out proto icmp xmit IF_EXT I like pings to be responsive. > > add 65006 queue 12 out proto tcp tcpflags ack iplen 0-80 xmit IF_EXT ACK-only packets should have priority, otherwise traffic in reverse direction is unnecessarily slowed down by traffic in forward direction (and the other way around). > > add 65007 queue 11 out proto tcp iplen 0-300 xmit IF_EXT Interactive typing (remote emacs, console, ...) > > add 65008 queue 11 out proto tcp src-port 80,88 xmit IF_EXT Replies from my web server. > > add 65009 queue 10 out proto tcp dst-port rsync xmit IF_EXT Backup has the lowest priority. > Just one question - you're saying that it is possible to shape /delay, > drop etc./ the packets so quickly so that when a pipe is fully utilized > someone hits a queue with a higher weight /for example port 80 would be > prioritized over p2p traffic/ it would be like as if the pipe was not used > at all? So it appears to me. Running Skype along with reading mail and running a nightly backup works fine. Mark From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 12 23:55:44 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 971A116A469 for ; Tue, 12 Jun 2007 23:55:44 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.248]) by mx1.freebsd.org (Postfix) with ESMTP id 57CE313C455 for ; Tue, 12 Jun 2007 23:55:44 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so5966anc for ; Tue, 12 Jun 2007 16:55:43 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=tGHoPi0HhHll3cIajpnKT7ug1F3xuvLa38lNaTZV+3cTEOo1XIWgIbzFieY/+Z7043TxBA4gb6L4rRb8Syv7I5pXml5liA+IStpdcMJhmNgFWFkMUCuqEXhY3vR3sx3GEg3kIrrAfo8u5Vok9Y6K56RWgb/prkji/chmm4CQMgc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=rGSfpUMgwHxiiULYIqEgDwIcbh/o2UMW8P/RwneypoCs50nuMNLBzSwvmUK+seAawBt40HOGgkL0c9oU0cEhmrkG8/93ttORv/q2cSI1MqcWgF4R0oMmFau0EiudUipJpWC//rV1Uk2g8Vf6+LYeRZDpFUd9rGhPpog4qmyQJa4= Received: by 10.100.127.1 with SMTP id z1mr23620anc.1181692543602; Tue, 12 Jun 2007 16:55:43 -0700 (PDT) Received: by 10.100.91.12 with HTTP; Tue, 12 Jun 2007 16:55:43 -0700 (PDT) Message-ID: <937e203f0706121655s226351e2q2000288a454218fb@mail.gmail.com> Date: Wed, 13 Jun 2007 01:55:43 +0200 From: "Lubomir Georgiev" <0shady0recs0@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw, pipes, queues, weights and managing an Internet connection X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2007 23:55:44 -0000 I was just trying to draw out people who had done something like this and had personal experience since the manual isn't clear on the accuracy of the WF2Q+... As I was reading through Mark's ruleset I noticed something: > pipe 2 config queue 4500bytes bw 3300Kbit/s This is something which I have searched for in the manpages before - what does the queue argument do when it's in the config line of the pipe instance? It says 4500bytes - any ideas? -- mEsS wItH tHe bEsT dIE liKe tHe rESt From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 13 00:03:36 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BD22116A46B for ; Wed, 13 Jun 2007 00:03:36 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.244]) by mx1.freebsd.org (Postfix) with ESMTP id EABD813C44B for ; Wed, 13 Jun 2007 00:02:27 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so6255anc for ; Tue, 12 Jun 2007 17:02:27 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=KjkhpFyYvoV1djHSdczkhq3RQZrtaTXQdh+tLSIAK6muf3k+jraWYya5ADkpCr+WoZiMYowfCRqIM5w1MYhYD8s0o9DXfsuUHn1lDDyT99Rw/VoXYO6edv4t0JMOcp+7z4V+h8ZljaR4942Hq0mYT3z6lJz48bkJmU6dbhEYqeg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=PxyuMnDGUrn925r9Kxk7gPpjzW4oGcVGu7TUQYcsMKIJ+UrN0ewG67MbNFoJzpTZxWvppOcY8hZfFmhl3KCVqEwNTPIRRMGeKtBFHFIOSbLIB8cP5RLGybSdm50RCwmt9iVr/8YQS8nOKoLQ1mVuF+jmQ5CXRXvj/w4MAPzSt+M= Received: by 10.101.14.16 with SMTP id r16mr11245ani.1181692947311; Tue, 12 Jun 2007 17:02:27 -0700 (PDT) Received: by 10.100.91.12 with HTTP; Tue, 12 Jun 2007 17:02:27 -0700 (PDT) Message-ID: <937e203f0706121702q41281fdax20e9bf784d04178a@mail.gmail.com> Date: Wed, 13 Jun 2007 02:02:27 +0200 From: "Lubomir Georgiev" <0shady0recs0@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw, pipes, queues, weights and managing an Internet connection X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2007 00:03:36 -0000 A big Thank You to Mark and Chuck!!! I can imagine how idiotic some of my questions and requests must have sounded, but the ipfw manpage is one of the most confusing /for me, at least/ and I find it difficult to get around it. Thanks for bearing with me - I'll share what i conjure up in the next few days... -- mEsS wItH tHe bEsT dIE liKe tHe rESt From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 13 00:22:54 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2624916A46E for ; Wed, 13 Jun 2007 00:22:54 +0000 (UTC) (envelope-from Mark.Martinec@ijs.si) Received: from mail.ijs.si (mail.ijs.si [193.2.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id CE80F13C469 for ; Wed, 13 Jun 2007 00:22:53 +0000 (UTC) (envelope-from Mark.Martinec@ijs.si) Received: from localhost (localhost.ijs.si [127.0.0.1]) by mail.ijs.si (Postfix) with ESMTP id D103A192843 for ; Wed, 13 Jun 2007 02:22:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=ijs.si; s=ja-200610; t=1181694172; bh=qeq0GX+xWT6gUsb2+3jaVwTnPcY=; h=X-Virus-Scanned: Received:Received:Received:From:Organization:To:Subject:Date: User-Agent:References:In-Reply-To:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-Disposition:Message-Id; b=S2mSCQ 8uWp8xg/UT+/EoynKNosXJ6ztUUaoHxXvzXhsS2Hmhdo8mHeCd7B8A0bfALH1qlw8c6 zWSIg3HZY5LVIIVeRl00y99np45iGSSYAwHSbCuldYK1aSE8OHL4oeh X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([193.2.4.66]) by localhost (mail.ijs.si [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ZcfwQjtFJJkg for ; Wed, 13 Jun 2007 02:22:51 +0200 (CEST) Received: from edina.ijs.si (edina.ijs.si [193.2.4.3]) by mail.ijs.si (Postfix) with ESMTP id 96A29192838 for ; Wed, 13 Jun 2007 02:22:51 +0200 (CEST) Received: from sleepy.ijs.si (clj15-145.dial-up.arnes.si [212.235.133.145]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by edina.ijs.si (Postfix) with ESMTP id 47F13511CA for ; Wed, 13 Jun 2007 02:22:51 +0200 (CEST) From: Mark Martinec Organization: J. Stefan Institute To: freebsd-ipfw@freebsd.org Date: Wed, 13 Jun 2007 02:22:49 +0200 User-Agent: KMail/1.9.6 References: <937e203f0706121655s226351e2q2000288a454218fb@mail.gmail.com> In-Reply-To: <937e203f0706121655s226351e2q2000288a454218fb@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200706130222.49828.Mark.Martinec@ijs.si> Subject: Re: ipfw, pipes, queues, weights and managing an Internet connection X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2007 00:22:54 -0000 Lubomir, > > pipe 2 config queue 4500bytes bw 3300Kbit/s > > This is something which I have searched for in the manpages before - what > does the queue argument do when it's in the config line of the pipe > instance? It says 4500bytes - any ideas? It is the size of a queue for packets in dummynet. It should not be too short so that a couple of packets fit in to give traffic shaper some headroom for its decisions. It should not be too long so that packets are not delayed for too long. In my case 4500 bytes / 3300Kbit/s = 11 ms, which is still good enough for VoIP and NTP. Mark From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 13 04:19:22 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4F1D916A468 for ; Wed, 13 Jun 2007 04:19:22 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp5.yandex.ru (smtp5.yandex.ru [87.250.248.71]) by mx1.freebsd.org (Postfix) with ESMTP id 7AE2213C465 for ; Wed, 13 Jun 2007 04:19:21 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from ns.kirov.so-cdu.ru ([77.72.136.145]:52220 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S1054125AbXFMETC (ORCPT ); Wed, 13 Jun 2007 08:19:02 +0400 X-Comment: RFC 2476 MSA function at smtp5.yandex.ru logged sender identity as: bu7cher Message-ID: <466F7034.9050007@yandex.ru> Date: Wed, 13 Jun 2007 08:19:00 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: AT Matik References: <200706111931.26118.asstec@matik.com.br> In-Reply-To: <200706111931.26118.asstec@matik.com.br> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: skipto bug X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2007 04:19:22 -0000 AT Matik wrote: > seems to be a skipto bug in ipfw > > # ipfw add 60000 skipto 65535 ip from any to any > ipfw: illegal argument for skipto This is not a bug. > I am not sure how long it so but this I get on latest releng_6 sources I think this behaviour was introduced with the new feature "tablearg". The number 65535 is reserved for the "tablearg". -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 13 19:40:39 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1BEF116A468 for ; Wed, 13 Jun 2007 19:40:39 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.243]) by mx1.freebsd.org (Postfix) with ESMTP id B8DDC13C45B for ; Wed, 13 Jun 2007 19:40:38 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so76293anc for ; Wed, 13 Jun 2007 12:40:37 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=k3M6lv1vujDn8ppaHJrI7KdULPXSK6FEEhhQjYDpR36AvQd4+r+A+NoxXTx9/rMg1msNHW9z/xjzeznSBm7wkJ4rxtvdwZjjTecmVJ6TOHbX0QCJ0EPKq+yKtl7uH/opTAD59g3YsGYbqZzDBqdpgJFm6sU8YW9/iISviP1Kkjc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=GAPw7cyNoRS0a2m4QzabinE3l+MGw/VF3SQ86uAxZA8W5UO/gEpcNls2ZmeVh5t9ezwCWyAEXnrb/VeGuWPFsCocwXzMDTjG8gsgy0ae2btztlTjo+8gTIB6riDVSrdbUO9TnQNtJV9Sip6x50B0/H7KWJ4AKMNOhaBsu51SuvU= Received: by 10.100.11.7 with SMTP id 7mr572488ank.1181763637915; Wed, 13 Jun 2007 12:40:37 -0700 (PDT) Received: by 10.100.91.12 with HTTP; Wed, 13 Jun 2007 12:40:37 -0700 (PDT) Message-ID: <937e203f0706131240o45b08b73na7bc695ac00a1123@mail.gmail.com> Date: Wed, 13 Jun 2007 21:40:37 +0200 From: "Lubomir Georgiev" <0shady0recs0@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw, pipes, queues, weights and managing an Internet connection X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2007 19:40:39 -0000 OK, so here's what I've ended up -> fxp0 is the external interface, the one on which natd is bound to. > 00001: 440.000 Kbit/s 0 ms 500 B 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 85.187.141.213/24593 10.11.0.33/3132 16906 17390616 0 > 0 2394 > ** > ** I've limited the pipe to 440 Kbit/s for the testing purposes. There > are no other pipes.* > > q00001: weight 99 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 10.11.0.33/3132 85.187.141.213/24593 374713 26638167 0 > 0 0 > q00002: weight 75 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 66.160.135.130/80 192.168.1.90/1228 2025 1825680 0 > 0 0 > q00003: weight 50 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 64.12.90.22/80 192.168.1.90/1100 9081 10419914 0 > 0 0 > > And the ruleset -> I'll try to comment the lines the same way Mark did: > 01900 queue 1 ip from any to any out proto tcp tcpflags ack iplen 0-80 > xmit fxp0 > 01905 queue 1 ip from any to any in proto tcp tcpflags ack iplen 0-80 recv > fxp0 > * Following Mark's example I let the ACK's in the first queue. > 01910 queue 1 ip from any to any out proto udp xmit fxp0 > 01911 queue 1 ip from any to any in proto udp recv fxp0 > * Again using Mark's example - this server for DNS requests > 01915 queue 1 ip from any to any in proto icmp recv fxp0 > 01920 queue 1 ip from any to any out proto icmp xmit fxp0 > * You guessed it - the dreaded ping... > 01950 queue 2 ip from 192.168.1.90 to not me > 01960 queue 2 ip from not me to 192.168.1.90 > * 192.168.1.90 is a host which I want to have priority over everything > else - except for the DNS, ACK and ping requests. > 02000 queue 3 ip from any to any src-port 80 not layer2 via fxp0 > 02100 queue 3 ip from any to any dst-port 80 not layer2 via fxp0 > * Here I give priority to the 80 port so that browsing should not feel > that something is being downloaded and is trying to eat up the pipe. > 65500 allow ip from any to any > * And here falls everything else. The interesting part about this is that > when I put that rule to fall in for ex. queue 4 /pipe 1, weight 1, least > priority/ all the others seem to not work, judging by the ping times, so I > just allowed it without setting a queue to it. > I believe that the 65500 rule and the not working of others when assigned a queue may be because I have no allow rule after the natd diver. The 1900 rule is the first one after the divert rule. I think that's the reason. Please people comment, share your thoughts and opinions - I feel that there is some difference, but I do drastically feel when there is a torrent in the background. Maybe I'm doing something wrong? If anyone has the time and the desire to test this ruleset - IT WOULD BE INVALUABLE, cuz words can only take you so far... To anyone who participates - a big thanks! -- mEsS wItH tHe bEsT dIE liKe tHe rESt From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 14 08:53:35 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5B6B616A46C for ; Thu, 14 Jun 2007 08:53:35 +0000 (UTC) (envelope-from igorpopov@newmail.ru) Received: from mx1.mail.wbt.ru (mx1.mail.wbt.ru [80.250.64.6]) by mx1.freebsd.org (Postfix) with ESMTP id EB33913C48A for ; Thu, 14 Jun 2007 08:53:34 +0000 (UTC) (envelope-from igorpopov@newmail.ru) Received: from moon.wbt.ru ([80.250.66.38] helo=moon.local) by mx1.mail.wbt.ru (Exim) with esmtp sent from for id 1Hyl5A-000E7C-Jl; Thu, 14 Jun 2007 11:53:32 +0300 From: Igor Popov Organization: Home To: freebsd-ipfw@freebsd.org Date: Thu, 14 Jun 2007 11:52:56 +0300 User-Agent: KMail/1.9.6 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200706141152.57291.igorpopov@newmail.ru> X-ACL-Warn: X-AV 1 1181811212 X-ACL-Warn: X-AV 2 1181811212 X-ACL-Warn: X-AV 3 1181811212 X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0255], KAS30/Release X-SpamTest-Info: Not protected Subject: packet goes through bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jun 2007 08:53:35 -0000 Hi, all. I have FreeBSD-6.2 running bridge (if_bridge), and I interesting what packet flow on bridge, I have tried to use tagging packets on incomming interface to pass tagged packets on outgoing interface, but it doesnt work. sysctl.conf: net.link.bridge.pfil_onlyip=1 net.link.bridge.pfil_bridge=1 net.link.bridge.pfil_member=1 rc.conf: cloned_interfaces="bridge0" ifconfig_em0="polling up" ifconfig_em1="polling up" ifconfig_bridge0="addm em0 addm em1 up" ifconfig_bridge0="inet 80.0.0.1/28" -- You now have Asian Flu. From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 16 18:02:38 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 52BD616A469 for ; Sat, 16 Jun 2007 18:02:38 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240]) by mx1.freebsd.org (Postfix) with ESMTP id 0563213C45A for ; Sat, 16 Jun 2007 18:02:37 +0000 (UTC) (envelope-from 0shady0recs0@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so296428anc for ; Sat, 16 Jun 2007 11:02:37 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=AEJ4EMMUmESiaYa0tkpSyHzbnZdTcTC1eSRx70xr2WIKgIScASpjutwQ+FfEze7xofBw4V0RWV0yHwHm52J/oL3ylqI2JD+w2wcd72GHLOWBLIomvkZd5x/bfjdWFLDy84I2/cFbPBmFeTjALVtuVl6mWw9zUYfPtjNsyLQb280= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=ZM7O6XXXbWVyVbH8SfRKIUhSlB2mbnpkR8vIOQkDIrxEph8An/kthP7Qw/mloxoHYgo47XTDvvNZQBLHp2uAWAzM0G4fbDx/RzDXiaIfs5jtA3SI7ZuigEwbmGX96Jm7H2dPBx7cHTpYJmSUrs/zL1ztsQnGQsSQ7YblRMGZCcQ= Received: by 10.100.202.13 with SMTP id z13mr2542995anf.1182016957352; Sat, 16 Jun 2007 11:02:37 -0700 (PDT) Received: by 10.100.91.12 with HTTP; Sat, 16 Jun 2007 11:02:37 -0700 (PDT) Message-ID: <937e203f0706161102m1ffa750ble3c900aade2e1c4f@mail.gmail.com> Date: Sat, 16 Jun 2007 20:02:37 +0200 From: "Lubomir Georgiev" <0shady0recs0@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw, pipes, queues, weights and managing an Internet connection X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jun 2007 18:02:38 -0000 I'm reposting my question - there might have been some problem the previous time I sent it because I have not received ANY mail from the fbsd lists in over 4 days now... OK, so here's what I've ended up -> fxp0 is the external interface, the one on which natd is bound to. 00001: 440.000 Kbit/s 0 ms 500 B 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 85.187.141.213/24593 10.11.0.33/3132 16906 17390616 > 0 0 2394 > * I've limited the pipe to 440 Kbit/s for the testing purposes. There > are no other pipes. > > q00001: weight 99 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 10.11.0.33/3132 85.187.141.213/24593 374713 26638167 > 0 0 0 > q00002: weight 75 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 66.160.135.130/80 192.168.1.90/1228 2025 1825680 > 0 0 0 > q00003: weight 50 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp 64.12.90.22/80 192.168.1.90/1100 9081 10419914 > 0 0 0 > And the ruleset -> I'll try to comment the lines the same way Mark did: 01900 queue 1 ip from any to any out proto tcp tcpflags ack iplen 0-80 > xmit fxp0 > 01905 queue 1 ip from any to any in proto tcp tcpflags ack iplen 0-80 > recv fxp0 > * Following Mark's example I let the ACK's in the first queue. > 01910 queue 1 ip from any to any out proto udp xmit fxp0 > 01911 queue 1 ip from any to any in proto udp recv fxp0 > * Again using Mark's example - this server for DNS requests > 01915 queue 1 ip from any to any in proto icmp recv fxp0 > 01920 queue 1 ip from any to any out proto icmp xmit fxp0 > * You guessed it - the dreaded ping... > 01950 queue 2 ip from 192.168.1.90 to not me > 01960 queue 2 ip from not me to 192.168.1.90 > * 192.168.1.90 is a host which I want to have priority over everything > else - except for the DNS, ACK and ping requests. > 02000 queue 3 ip from any to any src-port 80 not layer2 via fxp0 > 02100 queue 3 ip from any to any dst-port 80 not layer2 via fxp0 > * Here I give priority to the 80 port so that browsing should not > feel that something is being downloaded and is trying to eat up the pipe. > 65500 allow ip from any to any > * And here falls everything else. The interesting part about this is > that when I put that rule to fall in for ex. queue 4 /pipe 1, weight 1, > least priority/ all the others seem to not work, judging by the ping times, > so I just allowed it without setting a queue to it. > I believe that the 65500 rule and the not working of others when assigned a queue may be because I have no allow rule after the natd diver. The 1900 rule is the first one after the divert rule. I think that's the reason. Please people comment, share your thoughts and opinions - I feel that there is some difference, but I do drastically feel when there is a torrent in the background. Maybe I'm doing something wrong? If anyone has the time and the desire to test this ruleset - IT WOULD BE INVALUABLE, cuz words can only take you so far... To anyone who participates - a big thanks! -- mEsS wItH tHe bEsT dIE liKe tHe rESt