Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Mar 2004 19:50:51 -0600
From:      "Lewis Watson" <lists@visionsix.com>
To:        "freebsd-net" <freebsd-net@FreeBSD.org>
Subject:   IPFW & Queues & Timeouts
Message-ID:  <006a01c40d54$9bc30600$df0a0a0a@visionsix.net>
next in thread | raw e-mail | index | archive | help 
Hello,
I would greatly appreciate some advice on the following situation...

Ou goal is to use a FreeBSD box as a gateway/ router for several clients.
These clients are being provided Internet access through our network and
other than a few common worm holes blocked and bandwidth management they
should have open access.

We are passing traffic through the gateway at this time and bandwidth
management seems to work fine but when pinging  with a minimal load (one
client behind the gateway sending 500byte icmp packets) on the gateway we
are getting around 25% loss of packets. I feel that it's related to the
queue size but I am now not sure what is the best way to determine optimal
queue size.

I am using the following rules after rebuilding the kernel with the
additions mentioned below.

# Kernel Config Changes

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options DUMMYNET
options HZ=1000


#  This is my attempt at a using IPFW to allow a very open network
#  It's essentially open except for a very few things.
# See Below, it's all commented.
#
fwcmd="/sbin/ipfw"

# Flush previous rules
${fwcmd} -f flush

# Block the Microsoft Worm :-), SQL in and Ident
${fwcmd} add deny udp from any to any 135-137,139,445
${fwcmd} add deny tcp from any to any 135-137,139,445,1434
${fwcmd} add reset tcp from any to any 113

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
${fwcmd} add deny all from any to 0.0.0.0/8
${fwcmd} add deny all from any to 169.254.0.0/16
${fwcmd} add deny all from any to 192.0.2.0/24
${fwcmd} add deny all from any to 224.0.0.0/4

# Each client would have an in and out pipe and their own subnet
#
${fwcmd} add pipe 1 ip from any to 192.168.1.252/30 in
${fwcmd} add pipe 2 ip from 192.168.1.252/30 to any out

${fwcmd} pipe 1 config bw 900Kbit/s queue 112Kbytes
${fwcmd} pipe 2 config bw 900Kbit/s queue 112Kbytes

${fwcmd} add 65000 pass all from any to any

Thanks,
Lewis

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006a01c40d54$9bc30600$df0a0a0a>