From owner-freebsd-stable@FreeBSD.ORG  Thu Feb 13 17:16:06 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 188F59A5
 for <freebsd-stable@freebsd.org>; Thu, 13 Feb 2014 17:16:06 +0000 (UTC)
Received: from mail.bsdinfo.com.br (mail.bsdinfo.com.br [67.212.89.78])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id C88BA1A8A
 for <freebsd-stable@freebsd.org>; Thu, 13 Feb 2014 17:16:05 +0000 (UTC)
Received: from mail.bsdinfo.com.br (mail.bsdinfo.com.br [127.0.0.1])
 by mail.bsdinfo.com.br (Postfix) with ESMTP id 84970139CA
 for <freebsd-stable@freebsd.org>; Thu, 13 Feb 2014 15:08:11 -0200 (BRST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bsdinfo.com.br;
 h=content-type:content-type:subject:subject:to:mime-version
 :user-agent:from:from:date:date:message-id; s=dkim; t=
 1392311290; x=1393175291; bh=de7i52Vm3EGyrtkTLptN2p/cgSg3UY/5BaJ
 UanaM2oI=; b=lYxjQBfV4HtpRsheQq5Rq/4iVDpYjqyyPBBbBlUsSjTI8I6o73k
 DglOM0/+4Xy24UCNDmWMW541rl3UNvCHMjYj/TRy1+LnwNJ8tHuwi3C4tOEmYcjk
 RW6Bj14LRW/T2N3ZN+bLPGPzyV7lsODs6HtMVCkpAbaeNFuiPx9v8skI=
X-Virus-Scanned: amavisd-new at mail.bsdinfo.com.br
Received: from mail.bsdinfo.com.br ([127.0.0.1])
 by mail.bsdinfo.com.br (mail.bsdinfo.com.br [127.0.0.1]) (amavisd-new,
 port 10024)
 with ESMTP id X96b4AUtm6jT for <freebsd-stable@freebsd.org>;
 Thu, 13 Feb 2014 15:08:10 -0200 (BRST)
Received: from MacBook-de-Gondim-2.local (unknown [186.193.48.8])
 by mail.bsdinfo.com.br (Postfix) with ESMTPSA id B6927139C3
 for <freebsd-stable@freebsd.org>; Thu, 13 Feb 2014 15:08:09 -0200 (BRST)
Message-ID: <52FCFB8C.1030800@bsdinfo.com.br>
Date: Thu, 13 Feb 2014 15:06:20 -0200
From: Marcelo Gondim <gondim@bsdinfo.com.br>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
 rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: freebsd-stable@freebsd.org
Subject: dummynet problem in FreeBSD 10.0-STABLE
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.17
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2014 17:16:06 -0000

Hi all,

The following rules do not work anymore and block access to outside:

ipfw add pipe 1 ip from 67.xxx.89.78 to any 80 out via xn0
ipfw add pipe 2 ip from any 80 to 67.xxx.89.78 in via xn0
ipfw pipe 1 config bw 1024Kbit/s queue 128 burst 2M
ipfw pipe 2 config bw 1024Kbit/s queue 128 burst 2M

Using these rules on the server, I can not surf the Internet through the 
server. In FreeBSD 9.x these rules worked.
Doing: links http://www.any_website.com not work

My Firewall rules:
# ipfw show

00100 67191 13584242 allow ip from any to any via lo0
00200     0        0 deny ip from 127.0.0.0/8 to any
00300     0        0 deny ip from any to 127.0.0.0/8
00400     0        0 check-state
00500     0        0 deny ip from 192.168.0.0/16 to any in via xn0
00600     0        0 deny ip from 10.0.0.0/8 to any in via xn0
00700     0        0 deny ip from 172.16.0.0/12 to any in via xn0
00800     0        0 deny ip from 224.0.0.0/4 to any in via xn0
00900     0        0 deny ip from 255.255.255.255 to any in via xn0
01000     0        0 deny tcp from any to any in tcpflags fin,psh,urg 
recv xn0
01100     0        0 deny tcp from any to any in tcpflags 
!syn,!fin,!ack,!psh,!rst,!urg recv xn0
01200     0        0 deny tcp from any to any in tcpflags syn,fin recv xn0
01300     0        0 deny tcp from any to any in tcpflags fin,rst recv xn0
01400     0        0 deny ip from any to any in ipoptions 
ssrr,lsrr,rr,ts recv xn0
01500    78     2496 deny ip from table(99) to any in via xn0
01600     0        0 deny ip from table(1) to any

01700   276    16560 pipe 1 ip from 67.xxx.89.78 to any dst-port 80 out 
via xn0
01800     3      144 pipe 2 ip from any 80 to 67.xxx.89.78 in via xn0

01900     4      276 allow icmp from any to any icmptypes 3,11,12
02000     0        0 allow icmp from me to any icmptypes 0,8 keep-state
02100     1       75 deny icmp from any to any
02200  2226   298340 allow tcp from any to me dst-port 4321 in via xn0 
setup keep-state
02300  1997   768000 allow tcp from any to me dst-port 995 in via xn0 
setup keep-state
02400  1363   519377 allow tcp from any to me dst-port 25 in via xn0 
setup keep-state
02500   733   549931 allow tcp from any to me dst-port 587 in via xn0 
setup keep-state
02600  8952  8756999 allow tcp from any to me dst-port 80 in via xn0 
setup keep-state
02700  2748  2125603 allow tcp from any to me dst-port 443 in via xn0 
setup keep-state
02800     0        0 allow tcp from any to me dst-port 143 in via xn0 
setup keep-state
02900     0        0 allow tcp from any to me dst-port 110 in via xn0 
setup keep-state
03000  1094   360419 allow tcp from any to me dst-port 993 in via xn0 
setup keep-state
03100     0        0 allow tcp from any to me dst-port 21 in via xn0 
setup keep-state
03200     0        0 allow tcp from any to me dst-port 30000-50000 in 
via xn0 setup keep-state
03300  3558  1151840 allow tcp from me to any out setup keep-state
03400  6693   880724 allow ip from me to any out keep-state
65534   170    20283 deny log logamount 100 ip from any to any
65535    36     5424 allow ip from any to any

When I remove the upload rule, navigation back to work:

# ipfw delete 1700

links http://www.any_website.com work again.

# uname -a
FreeBSD mail.xxxxx.xxx.xx 10.0-STABLE FreeBSD 10.0-STABLE #2 r261419: 
Thu Feb  6 16:51:10 BRST 2014 
root@mail.xxxxx.xxx.xx:/usr/obj/usr/src/sys/GONDIM  amd64

It seems that something has changed and that stopped the bandwidth control.

[]'s
Gondim