From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 24 07:27:09 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BA1E16A4CE for ; Sun, 24 Oct 2004 07:27:09 +0000 (GMT) Received: from out-2.mail.amis.net (out-2.mail.amis.net [212.18.32.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DB4B43D2D for ; Sun, 24 Oct 2004 07:27:08 +0000 (GMT) (envelope-from matej.puntar@guest.arnes.si) Received: from localhost (in-2.mail.amis.net [212.18.32.19]) by out-2.mail.amis.net (Postfix) with ESMTP id 8587D1068C0; Sun, 24 Oct 2004 09:27:07 +0200 (CEST) Received: from in-2.mail.amis.net ([127.0.0.1]) by localhost (in-2.mail.amis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 42189-02; Sun, 24 Oct 2004 09:27:04 +0200 (CEST) Received: from piranha.amis.net (piranha.amis.net [212.18.32.3]) by in-2.mail.amis.net (Postfix) with ESMTP id DD6D122860A; Sun, 24 Oct 2004 09:27:04 +0200 (CEST) Received: from [10.0.0.2] (dhcp-lj1-39.ftth.amis.net [213.157.234.39]) by piranha.amis.net (Postfix) with ESMTP id C1F80FD92; Sun, 24 Oct 2004 09:27:04 +0200 (CEST) Message-ID: <417B5950.9070403@guest.arnes.si> Date: Sun, 24 Oct 2004 09:27:12 +0200 From: Matej Puntar User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: martes.wigglesworth@earthlink.net References: <417AC21F.1030905@guest.arnes.si> <1098569449.602.324.camel@Mobile1.276NET> In-Reply-To: <1098569449.602.324.camel@Mobile1.276NET> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at amis.net X-Spam-Status: No, hits=-5.603 required=5 tests=ALL_TRUSTED, BAYES_00, DNS_FROM_RFC_WHOIS X-Spam-Level: cc: ipfw-mailings Subject: Re: advanced bandwidth limiting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Oct 2004 07:27:09 -0000 Martes Wigglesworth wrote: >The answer from all documentation that I have read, would be simply >empliment a single pipe 1 of bw xKbit/s and configure dynamic pipes that >use the same pipe, hence splitting up the bandwidth dynamicly. Since >the queue is a copy of the first one, then all dynamic pipe have the >same queue weight, and will then have an equal segment of the bandwidth >of the pipe that they are attached to, in this case pipe 1. > >Example: > >ipfw add queue 1 log ip from any to ${internaldudes} in recv ${extif} >ipfw queue 1 config pipe 1 mask dst-ip 0xffffffff >ipfw pipe 1 config bw 256Kbit/s > >In the above example, any ip traffic comming into a natd box with >interface ${extif} attached to the internet, and ${internaldudes} being >those ips that are behind the gateway. Whenever a host connects to the >box, and has traffic come to it from the internet, a dynamic queue will >drain bandwidth for pipe 1. Due to this functionality, the pipe 1 bw >will get devided between the pipes that are created. When there is no >client, then the queue is deleted. > >If you have multiple subnets, like me, then and you want to specify the >internal interfaces, then use the following, thanks to Nicolas, earlier >today: >${fwcmd_add} deny udp from 0.0.0.0 68 to 255.255.255.255 67 in >\{ recv ${if_m} or recv ${if_g} \} > > > > WOW very nice :) Do this rules also split the upload bw? I have a asymmetric bw 768 Kbit download and 128 Kbit upload bw. From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 24 08:38:56 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E40BA16A4D5 for ; Sun, 24 Oct 2004 08:38:56 +0000 (GMT) Received: from audiogram.mail.pas.earthlink.net (audiogram.mail.pas.earthlink.net [207.217.120.253]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA86343D2D for ; Sun, 24 Oct 2004 08:38:56 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [213.209.169.198] (helo=[192.168.1.50]) by audiogram.mail.pas.earthlink.net with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CLdtu-0000Te-Gb; Sun, 24 Oct 2004 01:38:56 -0700 From: Martes Wigglesworth To: Matej Puntar In-Reply-To: <417B5950.9070403@guest.arnes.si> References: <417AC21F.1030905@guest.arnes.si> <417B5950.9070403@guest.arnes.si> Content-Type: text/plain Organization: Wiggtekmicro Corporation Message-Id: <1098607107.89582.26.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Sun, 24 Oct 2004 11:38:32 +0300 Content-Transfer-Encoding: 7bit X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48762db7d49f7973801ae7858884676d6d93caf27dac41a8fd350badd9bab72f9c X-Originating-IP: 213.209.169.198 cc: ipfw-mailings Subject: Re: advanced bandwidth limiting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Oct 2004 08:38:57 -0000 Nope. This method escapes the "keep-state" trap, which runs the traffic through twice, one up, and once down. That is not desireable, since it will limit a packet on the in recv, and out xmit stages. I just use explicit route definitions, to avoid this bottleneck, because it will give the enduser half of the specified bandwidth, or in the worst case, I have seen it devided by four. Hope this helps. -- M.G.W. Wiggtekmicro, Corp. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 KDE-3.1.4 From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 25 11:02:42 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EE9816A4CF for ; Mon, 25 Oct 2004 11:02:42 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7311243D1F for ; Mon, 25 Oct 2004 11:02:42 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i9PB2gS1078715 for ; Mon, 25 Oct 2004 11:02:42 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i9PB2faX078709 for ipfw@freebsd.org; Mon, 25 Oct 2004 11:02:41 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 25 Oct 2004 11:02:41 GMT Message-Id: <200410251102.i9PB2faX078709@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Oct 2004 11:02:42 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 27 04:31:31 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2ACE016A4CE for ; Wed, 27 Oct 2004 04:31:31 +0000 (GMT) Received: from regulus.redepegasus.com.br (pegasus.com.br [200.195.111.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EE4743D46 for ; Wed, 27 Oct 2004 04:31:30 +0000 (GMT) (envelope-from juliao@braga.eti.br) Received: from localhost (localhost.redepegasus.com.br [127.0.0.1]) by regulus.redepegasus.com.br (Postfix) with ESMTP id 3AB2B4B84B for ; Wed, 27 Oct 2004 01:33:33 -0200 (BRST) Received: from regulus.redepegasus.com.br ([127.0.0.1])port 10024) with ESMTP id 64586-09 for ; Wed, 27 Oct 2004 01:33:32 -0200 (BRST) Received: by regulus.redepegasus.com.br (Postfix, from userid 85) id 672CA4B849; Wed, 27 Oct 2004 01:33:32 -0200 (BRST) Received: from polaris (polaris.redepegasus.com.br [200.195.111.170]) by regulus.redepegasus.com.br (Postfix) with ESMTP id 60F654B844 for ; Wed, 27 Oct 2004 01:33:31 -0200 (BRST) Message-ID: <010401c4bbdd$d348d9f0$aa6fc3c8@redepegasus.com.br> From: "Juliao Braga - Rede Pegasus" To: References: <20041023051642.99194.qmail@web51901.mail.yahoo.com> Date: Wed, 27 Oct 2004 02:31:27 -0200 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Sanitizer: Advosys mail filter MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 8bit Subject: Lookup Tables X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Oct 2004 04:31:31 -0000 Hi, I need help to implement or to use Lookup Tables in IPFW. Is there something special to do? In kernel? I try it in 5.2.1 and 6.0-Current and if I use: # ipfw table 1 add 192.168.2.1/32 get: ipfw: bad command `table' Thank you, Julião --- Rede Pegasus http://www.redepegasus.com.br From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 28 09:56:03 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AF4916A4CE for ; Thu, 28 Oct 2004 09:56:03 +0000 (GMT) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A32043D1D for ; Thu, 28 Oct 2004 09:56:01 +0000 (GMT) (envelope-from tegshee@mongol.net) Received: from [202.179.0.164] (helo=tegshee.mongol.net) by publicd.ub.mng.net with esmtp (Exim 4.43 (FreeBSD)) id 1CN73Q-000FEn-9r for freebsd-ipfw@freebsd.org; Thu, 28 Oct 2004 17:58:48 +0800 Message-Id: <5.1.1.6.2.20041028173750.00ba2150@202.179.0.80> X-Sender: tegshee@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Thu, 28 Oct 2004 17:55:47 +0800 To: freebsd-ipfw@freebsd.org From: "Tegshjargal.A" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Oct 2004 09:56:03 -0000 Hi there! We have FreeBSD proxy server. (OS is Freebsd 5.2.) All client computer was working with static ip address such as : ip address: 10.0.0.55 subnet mask: 255.255.255.0 default gateway: 10.0.0.1 Preferred DNS server: xxx.xxx.xxx.xx1 Alternative DNS server: xxx.xxx.xxx.xx2 I want to restrict some customers to access some ports. But sometimes some blocked staffs are changing by permitted ip address so they access to foreign server. my rule is : # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup ... ${fwcmd} add pass tcp from 10.0.0.21,10.0.0.63 to any 4333 setup keep-state How can I restrict it? Thank you. Tegshjargal.A From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 28 10:49:11 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 670D716A4CE for ; Thu, 28 Oct 2004 10:49:11 +0000 (GMT) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 89E2343D49 for ; Thu, 28 Oct 2004 10:49:10 +0000 (GMT) (envelope-from tegshee@mongol.net) Received: from [202.179.0.164] (helo=tegshee.mongol.net) by publicd.ub.mng.net with esmtp (Exim 4.43 (FreeBSD)) id 1CN7ss-000FZM-Ew for freebsd-ipfw@freebsd.org; Thu, 28 Oct 2004 18:51:58 +0800 Message-Id: <5.1.1.6.2.20041028184803.02bcf150@202.179.0.80> X-Sender: tegshee@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Thu, 28 Oct 2004 18:48:59 +0800 To: freebsd-ipfw@freebsd.org From: "Tegshjargal.A" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: ip restrict X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Oct 2004 10:49:11 -0000 Hi there! We have FreeBSD proxy server. (OS is Freebsd 5.2.) All client computer was working with static ip address such as : ip address: 10.0.0.55 subnet mask: 255.255.255.0 default gateway: 10.0.0.1 Preferred DNS server: xxx.xxx.xxx.xx1 Alternative DNS server: xxx.xxx.xxx.xx2 I want to restrict some customers to access some ports. But sometimes some blocked staffs are changing by permitted ip address so they access to foreign server. my rule is : # Disallow setup of all other TCP connections ${fwcmd} add deny tcp from any to any setup ... ${fwcmd} add pass tcp from 10.0.0.21,10.0.0.63 to any 4333 setup keep-state How can I restrict it? Thank you. Tegshjargal.A